- Use Azure Bastion as a jump host for RDP and SSH - Tue, Apr 18 2023
- Azure Virtual Desktop: Getting started - Fri, Apr 14 2023
- Understanding Azure service accounts - Fri, Mar 31 2023
Universal Serial Bus (USB) flash drives are undeniably convenient and easy to use. However, these devices pose very real security threats.
Number one, allowing your users to mount their own USB flash drives provides a vector for malicious code into your network. Number two, a malicious user can steal sensitive data by copying it to their flash drive and leaving the campus.
Here are a couple excellent articles that delve more deeply into IT security threats posed by USB devices:
You may decide to institute an IT security policy in your domain that prohibits use of personal USB devices. This is all well and good, but how many of your users will actually adhere to the policy without some kind of a control in place?
Fortunately, Windows Server 2008 R2 provides us administrators with a method for easily disabling USB drive access on Active Directory domain assets. Let’s get to work.
Defining the restriction
One important thing to keep in mind is that Microsoft made it MUCH easier to control removable drive access in Windows 7/Windows Server 2008 R2 Group Policy. If you need to restrict USB drives on earlier client operating systems (including Windows Vista), then one of the following links should prove helpful to you:
- How can I prevent users from using USB removable disks (USB flash drives) by using Group Policy (GPO)?
- Group Policy..Block USB
- HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers
- Step-by-Step Guide to Controlling Device Installation Using Group Policy
Now then: from one of your Active Directory Domain Services domain controllers or from an administrative workstation, open the Group Policy Management Console and link a new GPO to the appropriate target (domain, OU, etc.).
Within the Group Policy Editor, navigate to \Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access.
NOTE: If you prefer to set these restrictions on a per-user basis instead of computer-wide, then use the Group Policy path \User Configuration\Policies\Administrative Templates\System\Removable Storage Access.
Group Policy - Removable Storage Access
Note from the above screenshot that we can use Group Policy to limit access to the following device classes:
- Optical drives (CD and DVD)
- Floppy drives
- Removable disks (USB devices)
- Tape drives
- Custom device classes
By far, the most restrictive restriction (pardon the redundancy) is the policy All Removable Storage Classes: Deny All Access. If we enable this policy, as is shown in the following screen capture, then we prevent affected users from mounting ANY class of removable media.
All Removable Storage classes - Deny all access
Naturally, we want to apply GPO security filtering to ensure that only our desired users and computers are affected by our new policy. From the Group Policy Management Console we can make use of the Security Filtering and/or the WMI Filtering areas to properly scope our GPO. This is depicted in the following screen image:
Disable USB drive
In order to put your new GPO into effect immediately, open an administrative command prompt and issue the following command:
This command refreshes Group Policy throughout your Active Directory domain.
How the restriction works
Once your GPO has been ingested by your domain, a user will see the following message box whenever they attempt to mount a restricted media device:
Disabled removable drive
It’s as simple as that!
In this article you learned how to leverage Windows Server 2008 Group Policy to disable USB drive us in our Active Directory domain. Have you initiated this policy in your environment? Please feel free to share your experiences and questions in the comments portion of this post.
Want to write for 4sysops? We are looking for new authors.
i just wanted to know the from where “Disable USB drive” screen will open
Hi Ajeesh. The “Disable USB Drive” screenshot was taken from the Group Policy Management Console. You can open that MMC console from the Administrative Tools folder on your domain controller. Alternatively, you can click Start > Run and type gpmc.msc into the Run box. -Tim
I failed to get the message access deny after the installation and updating the policy. I wonder where i went wrong. i created the policy in win2008 and implement the policy on Computer conf> policies> administrative templ> removable storage access > I enabled removable disks(deny read and deny write access) and enabled all removable storage classes deny all access.
this solution has a very bad effect if you want to roll back the policy as from testing such policy you cannot roll back because the policy applies on the driver NTFS permissions
I want to block only pen drives And external hard drives then what about usb mouse used by clients if we did so. ??
Hi. I used the procedure above and it was 100% successful. But i also have to find a way to enable the USB. I changed the USBSTOR value from 4 to 3, then too the usb isnt working. Can anybody please help or find a way to enable back the disabled USB? Thanks.
Rajat, I posted an answer in the forum. I hope that helps.
i like article. Looks quite straight and forward. I haven’t tried it yet.
But please can you help me if there’s anyway where i can monitor which users have been trying to use USB drives in the domain after i enable the policy?
Michael, I posted your question in the forum. You can subscribe to the topic after you registered.
Does it work for server 2003 with windows 7 client ?
I have enabled read write restriction for a group of users, if a user from this group is to log onto a win 8.1 system and tries accessing a usb drive it says access is denied, however if the same user logs onto a Windows server 2008 R2 system in the same domain he is allowed to access the usb drive, why may this be happening?
I want to disable usb but enable CD/DVD ROM . How can I do?
Hi there, i really appreciate your help, that was great, but i don’t want the drive to be visible, is there any way?
i tried to do this on server 2012 (only for single user) but nothing happen and the user can use removable drives why?can anyone help me?
I think there’s third party software that allows you to restrict/allow specific models of flash drives. This could be best for us because we have some machines that aren’t on the domain. Obviously GP wouldn’t apply to those machines but a third party solution could resolve that issue.
I tried it but it did not work. Windows 2012 server. Can anyone help pleas.
i tried on windows server 2012r2 its working,but i logon to windows 8.1,my local disk D,E also blocked
here in this case the all clients and the domain is not able to access that but that client who connect the usb drive did he access that or not and is it possible that the domain disable the usb port using the group policy ….
I want to have the GPO denying but allow specific users access. How can that be done?
Currently using a computer based GPO to deny all removable media.
I have a hardware based GPO that does not allow any removable media.
Now I have a specific person I would like to enable. How can that be accomplished.
We have applied Domain level USB restriction policy through GPO on our Domain controller win2k8 and after changes took place we tried connecting USB drive on several client machine (installed win 7 OS) where it is giving "Access is denied " that means the policy is working perfectly on all client machine into the same domain. But when we have logged in to server (win 2008 & 2012 )in the same domain and connected same USB drive then it is accessible , that means the policy is not applying on servers.
So request you please help in how to disable USB on servers also.
i had used this method on my laptop which is connected with domain environment but not work.
value changed Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\DWORD value 3
also check gpedit.msc
USB not working.