After connecting a new USB device to a computer, the system automatically detects the device and installs an appropriate driver allowing a user to use a USB-device or a drive connected practically at once. In some organizations, the use of USB-devices (flash drives, USB HDD, SD cards and so on) is disabled for safety reasons to prevent security leakage and virus infection. This article will tell how to disable the use of external USB-drives, prevent writing to them or run executable files using group policies (GPO).
USB device policy will work if an infrastructure complies with these requirements:
- Active Directory schema version — Windows Server 2008 or higherNote. The set of policies allowing to control the installation and use of removable drives has been only appeared in this AD version.
- Client OSs – Windows Vista, Windows 7 or higher
We are going to restrict the use of USB-drives for all computers in a certain container (OU). Let’s assume that we want to apply the policy to OU named Workstations. To do it, open the GPO management console (gpmc.msc), right-click on OU Workstations and create a new policy (Create a GPO in this domain and Link it here.)
Name the policy “Disable USB Access”.
After that, edit its parameters (Edit).
The settings of external devices restrictions located in the user and computer sections of the GPO:
- User Configuration-> Policies-> Administrative Templates-> System->Removable Storage Access
- Computer Configuration-> Policies-> Administrative Templates-> System-> Removable Storage Access
In our case, we want to disable USB-drives on the computer level so we need the second section. Expand it.
In Removable Storage Access section, there are some policies allowing to turn off the use of different types of storage devices — CD/DVDs, FDD, USB-devices, tapes and so on.
The “strongest” lockout policy — All Removable Storage Classes: Deny All Access – allows to deny the access to all types of external storage devices. To turn on the policy, open it and check Enable.
After enabling and updating the policy on customer computers (gpupdate /force), the system detects the external devices being connected and returns the following error message when trying to open them:
Drive is not accessible. Access is denied
In this policy section, more flexible restriction to use external USB-drives can be configured.
For example, to prevent writing to USB flash drives and disks, you should only enable the policy Removable Disk: Deny write access.
In this case, users will be able to read the data stored on a USB flash drive but if they try to write some information to it the following error message will appear:
You need permission to perform this action
You can deny to run executable and script files stored on USB-drives using Removable Disks: Deny execute access policy.