How to use a Group Policy Object to block access to USB storage devices

[harlan4096]

In the modern workplace, just about every member of staff owns and uses at least one USB storage device. (In this article, “USB storage device” refers to any USB device that can store data, including, but not limited to, flash drives, external hard drives, smartphones, tablets, portable gaming devices, cameras and MP3 players).

However, the portability and widespread adoption of USB storage devices pose a significant security threat. For example, an employee could inadvertently connect an infected device to an endpoint, which may result in malware spreading to the company’s network. Alternatively, USB storage devices may be used to exfiltrate sensitive information or install unauthorized applications, which could lead to further security concerns.

Thankfully, Microsoft has made it relatively simple to block the use of unauthorized USB storage devices. In this article, we’ll show you the exact steps to disable USB storage devices using a Group Policy Object (GPO).

Note: To restrict access to external drives with a GPO, you need to be running Windows Server 2008 (or newer); on desktops, you need Windows Vista or newer. Older versions of Windows and Windows Server will need to use third-party tools to block access to external media, which are not covered in this article. All servers must be operating as a domain controller and clients must be part of the same active directory domain for the policy to take effect.

Apply a GPO to an organizational unit

1. Open the Group Policy Management Console (gpmc.msc).
2. Right-click on the organizational unit (OU) you want to apply the policy to and click Create a GPO in this domain, and Link it here.
3. Enter a name for the policy (e.g. Block USB Devices) and click OK.
4. In the Linked Group Policy Objects tab, right-click the policy you created in Step 4 and click Edit.

5. Navigate through the console tree to Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access.

6. In the Removable Storage Access section, you’ll find a number of policies for a variety of storage devices. Policies include:

* CD and DVD: Deny execute access.
* CD and DVD: Deny read access.
* CD and DVD: Deny write access.
* Custom Classes: Deny read access.
* Custom Classes: Deny write access.
* Floppy Drives: Deny execute access.
* Floppy Drives: Deny read access.
* Floppy Drives: Deny write access.
* Removable Disks: Deny execute access.
* Removable Disks: Deny read access.
* Removable Disks: Deny write access.
* All Removable Storage classes: Deny all access.
* All Removable Storage: Allow direct access in remote sessions.
* Tape Drives: Deny execute access.
* Tape Drives: Deny read access.
* Tape Drives: Deny write access.
* WPD Devices: Deny read access.
* WPD Devices: Deny write access.

7. To deny access to all storage devices, double click All Removable Storage classes: Deny all access, tick Enabled and click OK. Once this policy is enabled, the system will detect when a USB storage device is connected and display an error message stating that the drive is not accessible and access is denied.

...

Continue Reading