Sunday, July 31, 2016

Disable USB Storage via GPO

The use of USB-devices (flash drives, USB HDD, SD cards and so on) is disabled for safety reasons to prevent security leakage and virus infection. This article will tell how to disable the use of external USB-drives, prevent writing to them or run executable files using group policies (GPO).
USB device policy will work if an infrastructure complies with these requirements:
1.     Active Directory schema version — Windows Server 2008 or higher
Note. The set of policies allowing to control the installation and use of removable drives has been only appeared in this AD version.
2.     Client OSs – Windows Vista, Windows 7 or higher
We are going to restrict the use of USB-drives for all computers in a certain container (OU). Let’s assume that we want to apply the policy to OU named Workstations. To do it, open the GPO management console (gpmc.msc), right-click on OU Workstations and create a new policy (Create a GPO in this domain and Link it here.)
Tip. In case of stand-alone computer, the USB-port usage restriction policy can be edited using a Local Group Policy Editor – gpedit.msc.

Name the policy “Disable USB Access”.

After that, edit its parameters (Edit).

The settings of external devices restrictions located in the user and computer sections of the GPO:
1.     User Configuration-> Policies-> Administrative Templates-> System->Removable Storage Access
2.     Computer Configuration-> Policies-> Administrative Templates-> System-> Removable Storage Access
In our case, we want to disable USB-drives on the computer level so we need the second section. Expand it.
In Removable Storage Access section, there are some policies allowing to turn off the use of different types of storage devices — CD/DVDs, FDD, USB-devices, tapes and so on.
The “strongest” lockout policy — All Removable Storage Classes: Deny All Access – allows to deny the access to all types of external storage devices. To turn on the policy, open it and check Enable.

After enabling and updating the policy on customer computers (cmdgpupdate /force), the system detects the external devices being connected and returns the following error message when trying to open them:

Location is not available
Drive is not accessible. Access is denied

Tip. The same restriction can be set using the registry by creating Deny_All key of Dword-type with the value 00000001 in HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\RemovableStorageDevices branch
In this policy section, more flexible restriction to use external USB-drives can be configured.
For example, to prevent writing to USB flash drives and disks, you should only enable the policy Removable Disk: Deny write access.

In this case, users will be able to read the data stored on a USB flash drive but if they try to write some information to it the following error message will appear:

Destination Folder Access Denied
You need permission to perform this action

You can deny to run executable and script files stored on USB-drives using Removable Disks: Deny execute access policy.

No comments:

Post a Comment