How to use a Group Policy Object to block access to USB storage devices

How to use a Group Policy Object to block access to USB storage devices

In the modern workplace, just about every member of staff owns and uses at least one USB storage device. (In this article, “USB storage device” refers to any USB device that can store data, including, but not limited to, flash drives, external hard drives, smartphones, tablets, portable gaming devices, cameras and MP3 players).

However, the portability and widespread adoption of USB storage devices pose a significant security threat. For example, an employee could inadvertently connect an infected device to an endpoint, which may result in malware spreading to the company’s network. Alternatively, USB storage devices may be used to exfiltrate sensitive information or install unauthorized applications, which could lead to further security concerns.

Thankfully, Microsoft has made it relatively simple to block the use of unauthorized USB storage devices. In this article, we’ll show you the exact steps to disable USB storage devices using a Group Policy Object (GPO).

Note: To restrict access to external drives with a GPO, you need to be running Windows Server 2008 (or newer); on desktops, you need Windows Vista or newer. Older versions of Windows and Windows Server will need to use third-party tools to block access to external media, which are not covered in this article.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Apply a GPO to an organizational unit

  1. Open the Group Policy Management Console (gpmc.msc).
  2. Right-click on the organizational unit (OU) you want to apply the policy to and click Create a GPO in this domain, and Link it here.
  3. Enter a name for the policy (e.g. Block USB Devices) and click OK.
  4. In the Linked Group Policy Objects tab, right-click the policy you created in Step 4 and click Edit.
  5. Navigate through the console tree to Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access.
  6. In the Removable Storage Access section, you’ll find a number of policies for a variety of storage devices. Policies include:
    • CD and DVD: Deny execute access.
    • CD and DVD: Deny read access.
    • CD and DVD: Deny write access.
    • Custom Classes: Deny read access.
    • Custom Classes: Deny write access.
    • Floppy Drives: Deny execute access.
    • Floppy Drives: Deny read access.
    • Floppy Drives: Deny write access.
    • Removable Disks: Deny execute access.
    • Removable Disks: Deny read access.
    • Removable Disks: Deny write access.
    • All Removable Storage classes: Deny all access.
    • All Removable Storage: Allow direct access in remote sessions.
    • Tape Drives: Deny execute access.
    • Tape Drives: Deny read access.
    • Tape Drives: Deny write access.
    • WPD Devices: Deny read access.
    • WPD Devices: Deny write access.
  7. To deny access to all storage devices, double click All Removable Storage classes: Deny all access, tick Enabled and click OK. Once this policy is enabled, the system will detect when a USB storage device is connected and display an error message stating that the drive is not accessible and access is denied.

Apply a GPO to specific users

In the previous section, we blocked access to all removable media for all users within the selected OU. However, there are often situations where you’ll want to apply a GPO only to a specific group or groups. To do so:

  1. Open the Group Policy Management Console.
  2. In the navigation pane, find and select the GPO.
  3. Click the Delegation tab.
  4. Click Advanced.
  5. Select Authenticated Users.
  6. Scroll down to the Apply group policy permission and untick Allow.
  7. Click Add, enter the name of the group you wish to apply the policy to and click OK.
  8. Select the group you added in Step 7, scroll down the permission list to Apply group policy and tick Allow. The GPO will now only be applied to users who are in this group.

Exempt a group from a GPO

In other situations, you may wish to apply a GPO to an OU but still allow certain users (such as administrators) to be able to access USB storage devices. To do so:

  1. Open the Group Policy Management Console.
  2. In the navigation pane, find and select the GPO.
  3. Click the Delegation tab.
  4. Click Advanced.
  5. Click Add, enter the name of the group you wish to exempt from the policy and click OK.
  6. Select the group you added in Step 5, scroll down to the Apply group policy permission and tick Deny.
  7. Click OK, and then click Yes if prompted by the Windows Security dialog box. The GPO will now not apply to users in this group.

Useful links:

Conclusion

Restricting access to USB storage devices plays an important role in bolstering an organization’s security. Businesses of all sizes, as well as home users with business editions of Windows, can use GPOs to manage access to removable storage devices and consequently reduce the risk of malware infection, data exfiltration and the unauthorized installation of applications.

Jareth

Jareth

Writer. A picture is worth a thousand words but unfortunately I can't draw. The world of IT security has always fascinated me and I love playing a small role in helping the good guys combat malware.

What to read next

Newsletter

Malware never sleeps. Be sure to stay up-to-date on emerging threats.

Emsisoft > Blog > Protection Guides > Security Essentials > How to use a Group Policy Object to block access to USB storage devices