Step 1: Enable
Group Policy Auditing
·
Launch the 'Server
Manager'and open the Group Policy Management Console(GPMC).
·
In the left pane, expand the 'Forest'and 'Domains' nodes
to reveal the specified domain you want to track the changes for.
·
Expand the domain a right click 'Default
Domain Policy'.You can also choose a domain policy that is
universal throughout the domain, or create a new GPO and link it to the Default
Domain Policy.
·
Click on 'Edit' of
the desired group policy, to open up the Group Policy Management Editor.
·
Expand 'Computer
Configuration'-->Policies-->Windows Settings-->Administrative
Templates-->System-->Removable Storage Access.
Double click the All Removable Storage classes: Deny all access policy.
Select Enabled and click OK.
1. Close the Group Policy Editor
2. Restart the computer to apply the changes.
2. Disable Usb Drives in Registry
Editor
This method works
in all editions of running Windows 10, and it disconnects only USB drives,
without affecting the mouse, keyboard, and printer connected via USB. Before
editing the registry, it is recommended to create a system restore point.
Open Windows
registry editor: in the search bar or in the menu to execute (run with the Win
+ R keys) enter the regedit command and press the Enter key.
How to use a Group Policy Object to block access to USB storage devices
In the modern workplace, just about every member of staff owns and uses at least one USB storage device. (In this article, “USB storage device” refers to any USB device that can store data, including, but not limited to, flash drives, external hard drives, smartphones, tablets, portable gaming devices, cameras and MP3 players).
However, the portability and widespread adoption of USB storage devices pose a significant security threat. For example, an employee could inadvertently connect an infected device to an endpoint, which may result in malware spreading to the company’s network. Alternatively, USB storage devices may be used to exfiltrate sensitive information or install unauthorized applications, which could lead to further security concerns.
Thankfully, Microsoft has made it relatively simple to block the use of unauthorized USB storage devices. In this article, we’ll show you the exact steps to disable USB storage devices using a Group Policy Object (GPO).
Note: To restrict access to external drives with a GPO, you need to be running Windows Server 2008 (or newer); on desktops, you need Windows Vista or newer. Older versions of Windows and Windows Server will need to use third-party tools to block access to external media, which are not covered in this article.
Apply a GPO to an organizational unit
- Open the Group Policy Management Console (gpmc.msc).
- Right-click on the organizational unit (OU) you want to apply the policy to and click Create a GPO in this domain, and Link it here.
- Enter a name for the policy (e.g. Block USB Devices) and click OK.
- In the Linked Group Policy Objects tab, right-click the policy you created in Step 4 and click Edit.
- Navigate through the console tree to Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access.
- In the Removable Storage Access section, you’ll find a number of policies for a variety of storage devices. Policies include:
- CD and DVD: Deny execute access.
- CD and DVD: Deny read access.
- CD and DVD: Deny write access.
- Custom Classes: Deny read access.
- Custom Classes: Deny write access.
- Floppy Drives: Deny execute access.
- Floppy Drives: Deny read access.
- Floppy Drives: Deny write access.
- Removable Disks: Deny execute access.
- Removable Disks: Deny read access.
- Removable Disks: Deny write access.
- All Removable Storage classes: Deny all access.
- All Removable Storage: Allow direct access in remote sessions.
- Tape Drives: Deny execute access.
- Tape Drives: Deny read access.
- Tape Drives: Deny write access.
- WPD Devices: Deny read access.
- WPD Devices: Deny write access.
- To deny access to all storage devices, double click All Removable Storage classes: Deny all access, tick Enabled and click OK. Once this policy is enabled, the system will detect when a USB storage device is connected and display an error message stating that the drive is not accessible and access is denied.
Apply a GPO to specific users
In the previous section, we blocked access to all removable media for all users within the selected OU. However, there are often situations where you’ll want to apply a GPO only to a specific group or groups. To do so:
- Open the Group Policy Management Console.
- In the navigation pane, find and select the GPO.
- Click the Delegation tab.
- Click Advanced.
- Select Authenticated Users.
- Scroll down to the Apply group policy permission and untick Allow.
- Click Add, enter the name of the group you wish to apply the policy to and click OK.
- Select the group you added in Step 7, scroll down the permission list to Apply group policy and tick Allow. The GPO will now only be applied to users who are in this group.
Exempt a group from a GPO
In other situations, you may wish to apply a GPO to an OU but still allow certain users (such as administrators) to be able to access USB storage devices. To do so:
- Open the Group Policy Management Console.
- In the navigation pane, find and select the GPO.
- Click the Delegation tab.
- Click Advanced.
- Click Add, enter the name of the group you wish to exempt from the policy and click OK.
- Select the group you added in Step 5, scroll down to the Apply group policy permission and tick Deny.
- Click OK, and then click Yes if prompted by the Windows Security dialog box. The GPO will now not apply to users in this group.