How To Disable USB Ports using Group Policy
How To Disable USB Ports Group Policy
In this post, we’ll learn the steps to disable USB Ports using Group Policy. Universal Serial Bus (USB) is one of the most popular way of connection through which we can connect computer through media devices like external hard disk, pen drives, cameras, printers, scanners etc. These media devices connect to computer through USB ports. Generally laptops have 3 to 5 USB ports whereas desktops have 4 to 6 USB ports. But we can increase the number of USB ports with the help of external USB hub, it is a device just like an external mouse or DVD drive. External USB hub is also known as splitters. It is capable of creating new USB ports by taking the space of one.
Steps to create Folder Redirection using Group Policies
How to disable USB ports, if this is the question that boggles your mind because you are struggling to manage security of your Organization then don’t worry, we would help you with the steps to disable USB ports. For securing the network of the company, most of the organizations restrict the access of removable drives by disabling USB ports. Disable removable disk would prevent the threat of stealing confidential data or inject virus in the network therefore organizations disable USB ports.
Methods to Disable USB Ports
There are various ways to disable USB ports, they are listed below. Some of them we’ll discuss in this post.
- Block USB ports using registry
- Block USB ports through device manager
- Block USB ports using software
- Block USB ports using group policy
In this post, we’ll learn to deploy USB restrict group policy and also see how to give read only permissions to the USB drive and blocking the execution of .exe files.
How to Disable USB Ports – Steps
1. Block USB ports is a computer based policy. Therefore, we have created an OU naming Tech and added two computers in it naming DC05 and DC06 in Active Directory Users and Computers.
2. Open Group Policy Management Console (GPMC) and right click on OU (Tech) and click on “Create a GPO in this domain, and link it here” to create a new group policy object and link it with an OU.
3. In New GPO console enter the name of GPO and click on OK. In this example, the name of the GPO is “Removable drive access deny”. Click on OK.
4. New GPO is like an empty template therefore we have to edit and define the settings to make GPO works. Right click on newly created GPO (Removable drive access deny) and click on “Edit” to define GPO settings.
5. As we stated earlier that “Removable storage access deny” is a computer based policy therfore on “Group Policy Management Editor” (GPME) console expand Computer Configuration, then expand Policies, under policies expand Administrative Templates, then expand System, under system select Removable Storage Access.
In the right frame, we can see “All Removable Storage Classes: Deny all access” policy in Removable storage access folder. Double click on this policy to open policy settings.
6. On “All Removable Storage Classes: Deny all access” settings console select enabled, click on apply and then click on OK. Don’t get confused between enabling access of removable drive and enabling this policy. Here, enabled means enabling this policy and disabled means disabling the policy. Selecting “Enabled” option would disable USB drives.
7. After deploying this group policy, removable storage will not be accessible on DC05 and DC06 computers. USB drive will be shown as attached to a computer but it would not be accessible. If anyone tries to open USB drive an error message pop-ups “Drive is not accessible. Access is denied.”
We have discussed the steps to disable USB drives. Now we’ll learn how to deploy read-only permission to removable storage. After deploying this policy users can only access the removable disk but cannot modify or write anything on the removable disk.
How to Disable USB Drive – Write Access
To disable USB drive write access, follow the steps 1 to 4 as described above.
5. To disable USB drive write access, select “Removable Disk: Deny write access” is a computer policy so, on GPME console expand Computer Configuration, then expand Policies, under policies expand Administrative Templates, then expand System, under system click on Deny Write Access. Double click on this policy to open policy settings.
6. On “Removable Disk: Deny write access” settings console select enabled and click on OK. Enabling “Deny Write access” policy would disable USB drive write access. Click on apply, click on Ok.
7. After deploying this group policy, the removable disk would be accessible on DC05 and DC06 computers. However, we can access the storage but cannot modify the content of USB drive or cannot copy any data. If we try to do so we get an error message “Destination Folder Access is Denied. You need permission to perform this action“. This error confirms that “Removable Disk: Deny write access” policy is deployed successfully and write access is disable for USB drive.
Above in this post, we have discussed the steps to disable USB drive write access. Deploying this policy would result in read only permission for removable disk.
Now, the question arises, is organization’s network is secured when read-only permission is deployed? As per my opinion it is not because if anyone installs an executable file from removable disk on client computer which could lead to security threat. To prevent that situation, we can define “Removable Disk: Deny execute access” policy. It would block the installation of executable files from removable disk.
Steps to deploy Removable Disk: Deny execute access policy.
To disable execute access from “Removable Disk” follow the steps 1 to 4 from above mentioned policy.
Follow the steps 1 to 4 from the All Removable Storage Classes: Deny all access policy.
5. “Removable Disk: Deny execute access” is also a computer based policy so, on GPME console expand Computer Configuration, then expand Policies, under policies expand Administrative Templates, then expand System, under System click on Removable Storage Access. Right click on “Removable Disks: Deny execute access” and click on Edit to open policy settings.
6. On “Removable Disks: Deny execute access” console select enabled to enable the policy. Enabling policy would result in denying execute access from the removable disks. Click on apply, click on Ok.
7. After this policy is deployed removable disk would be accessible but executable files would not execute. We would get an error message “Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item”.
We can also disable removable disk by using software or by editing registry. We’ll talk about those options in detail in future posts.
Do mention in the comments about the software or policy that you have deployed in your Organization to disable USB drive/ removable disk.
very well written article thank you .
Thanks for your kind words. It really motivates.
I followed your article step by step and it helped me in disabling USB drive. Thanks much for the great writeup.