Number one, allowing your users to mount their own USB flash drives provides a vector for malicious code into your network. Number two, a malicious user can steal sensitive data by copying it to their flash drive and leaving the campus.
Here are a couple excellent articles that delve more deeply into IT security threats posed by USB devices:
You may decide to institute an IT security policy in your domain that prohibits use of personal USB devices. This is all well and good, but how many of your users will actually adhere to the policy without some kind of a control in place?
Fortunately, Windows Server 2008 R2 provides us administrators with a method for easily disabling USB drive access on Active Directory domain assets. Let’s get to work.
Defining the restriction ^
One important thing to keep in mind is that Microsoft made it MUCH easier to control removable drive access in Windows 7/Windows Server 2008 R2 Group Policy. If you need to restrict USB drives on earlier client operating systems (including Windows Vista), then one of the following links should prove helpful to you:
- How can I prevent users from using USB removable disks (USB flash drives) by using Group Policy (GPO)?
- Group Policy..Block USB
- HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers
- Step-by-Step Guide to Controlling Device Installation Using Group Policy
Now then: from one of your Active Directory Domain Services domain controllers or from an administrative workstation, open the Group Policy Management Console and link a new GPO to the appropriate target (domain, OU, etc.).
Within the Group Policy Editor, navigate to \Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access.
NOTE: If you prefer to set these restrictions on a per-user basis instead of computer-wide, then use the Group Policy path \User Configuration\Policies\Administrative Templates\System\Removable Storage Access.
Group Policy - Removable Storage Access
Note from the above screenshot that we can use Group Policy to limit access to the following device classes:
- Optical drives (CD and DVD)
- Floppy drives
- Removable disks (USB devices)
- Tape drives
- Custom device classes
By far, the most restrictive restriction (pardon the redundancy) is the policy All Removable Storage Classes: Deny All Access. If we enable this policy, as is shown in the following screen capture, then we prevent affected users from mounting ANY class of removable media.
All Removable Storage classes - Deny all access
Naturally, we want to apply GPO security filtering to ensure that only our desired users and computers are affected by our new policy. From the Group Policy Management Console we can make use of the Security Filtering and/or the WMI Filtering areas to properly scope our GPO. This is depicted in the following screen image:
Disable USB drive
In order to put your new GPO into effect immediately, open an administrative command prompt and issue the following command:
This command refreshes Group Policy throughout your Active Directory domain.
How the restriction works ^
Once your GPO has been ingested by your domain, a user will see the following message box whenever they attempt to mount a restricted media device:
Disabled removable drive
It’s as simple as that!
In this article you learned how to leverage Windows Server 2008 Group Policy to disable USB drive us in our Active Directory domain. Have you initiated this policy in your environment? Please feel free to share your experiences and questions in the comments portion of this post.