Powered by Blogger.

HOW TO: BLOCKING USB DEVICES AND REMOVABLE MEDIA

Step 1: Create a Security Group
Create a security group with a descriptive name like NoUSB or DisableUSB

Step 2: Create a GPO
Open the Group Policy Management console and create a new Group policy object. Also give this a descriptive name like No USB or Disable USB.
Step 3: Security Filtering
Select the group policy object and on the scope tab add the recently created security group, in my case NoUSB, to the Security Filtering section

Step 4: Change Permissions
Switch to the Delegation tab and select Advanced. Once in the advance view remove apply permission from the "Authenticated users" group by making sure the box in red is unchecked


Step 5: Choose GPO Settings
From GPME expand User Configuration -> Policies -> System -> Removable Storage.

Here is where we will actually choose what we want to disable. In my case I only wish to block access to removable disks so I will enable "Removable Disks: Deny read access" and "Removable Disks: Deny write access".

After selecting the devices you would like to disable close GPME, we are all done configuring the group policy settings.

Step 6: Linking the GPO
Link this GPO to the Users OU for your organization

Step 7: Test
Create a test user and add them to your newly created NoUSB security group.

Log into a workstation and attempt to insert a removable disc(flash drive, external hard drive, etc.) You should be blocked from opening the device.

To make sure our policy only applies to users in the security group, also log in a user account(on the same PC) that does not belong to the NoUSB group and attempt to open the removable disc, you should be able to successfully open it.

By following the steps above you will effectively disable USB mass storage access for any users in the NoUSB security group.

I strongly advise not testing this out in a live production environment in case you configure anything incorrectly. My advice is provided as is, and I am not responsible for any damage you may cause while attempting to set this up.

Found on Spiceworks: https://community.spiceworks.com/how_to/118905-creating-an-effective-usb-blocking-gpo?utm_source=copy_paste&utm_campaign=growth
    Blogger Comment
    Facebook Comment