23 maart, 2015 at 12:59 PM

User based Group Policy to disable USB access
for users (current user)

         Defining the restriction

         How the restriction works

    

Universal Serial Bus (USB) flash drives are undeniably convenient and easy to use. However, these devices pose very real security threats.

Number one, allowing your users to mount their own USB flash drives provides a vector for malicious code into your network. Number two, a malicious user can steal sensitive data by copying it to their flash drive and leaving the campus.

Here are a couple excellent articles that delve more deeply into IT security threats posed by USB devices:

         Social Engineering, the USB Way

         USB Drives Pose Insider Threat

You may decide to institute an IT security policy in your domain that prohibits use of personal USB devices. This is all well and good, but how many of your users will actually adhere to the policy without some kind of a control in place?

Fortunately, Windows Server 2008 R2 provides us administrators with a method for easily disabling USB drive access on Active Directory domain assets. Let’s get to work.

Defining the restriction

One important thing to keep in mind is that Microsoft made it MUCH easier to control removable drive access in Windows 7/Windows Server 2008 R2 Group Policy. If you need to restrict USB drives on earlier client operating systems (including Windows Vista), then one of the following links should prove helpful to you:

         How can I prevent users from using USB removable disks (USB flash drives) by using Group Policy (GPO)?

         Group Policy..Block USB

         HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers

         Step-by-Step Guide to Controlling Device Installation Using Group Policy

Now then: from one of your Active Directory Domain Services domain controllers or from an administrative workstation, open the Group Policy Management Console and link a new GPO to the appropriate target (domain, OU, etc.).

Within the Group Policy Editor, navigate to \Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access.

NOTE: If you prefer to set these restrictions on a per-user basis instead of computer-wide, then use the Group Policy path \User Configuration\Policies\Administrative Templates\System\Removable Storage Access.

Group Policy – Removable Storage Access

Note from the above screenshot that we can use Group Policy to limit access to the following device classes:

       Optical drives (CD and DVD)

       Floppy drives

       Removable disks (USB devices)

       Tape drives

       Custom device classes

By far, the most restrictive restriction (pardon the redundancy) is the policy All Removable Storage Classes: Deny All Access. If we enable this policy, as is shown in the following screen capture, then we prevent affected users from mounting ANY class of removable media.

 

All Removable Storage classes – Deny all access

Naturally, we want to apply GPO security filtering to ensure that only our desired users and computers are affected by our new policy. From the Group Policy Management Console we can make use of the Security Filtering and/or the WMI Filtering areas to properly scope our GPO. This is depicted in the following screen image:

Disable USB drive

In order to put your new GPO into effect immediately, open an administrative command prompt and issue the following command:

gpupdate/ force

This command refreshes Group Policy throughout your Active Directory domain.

How the restriction works

Once your GPO has been ingested by your domain, a user will see the following message box whenever they attempt to mount a restricted media device:

Commentaar