In this article, we shall discuss how to restrict access to removable Storage Drives [Part 2]. When a USB or supported port is available on the computer. Users can connect removable storage devices such as USB flash drives, external hard drives, and other types of mass storage devices) to access or export data. If you do not want users engaging and moving your data around. You might want to restrict access to these types of devices. Please see how to Disable and Enable USB Usage for Certain Users in Windows, and various Sign-in options for Windows: Ditch Password for Enhanced Security.
Some of these devices can be infected by Viruses, and malware and you do not want this in your network. Therefore, you would disable access by preventing users from connecting these devices. Please see how to disable Access to Removable Storage Devices for All Users with Windows Registry [Part 1]
Also, see how to link a removable media to a Deployment Share: Replicate Deployment share to a removable device. Here is how to Restrict IP Address Range on Windows PC, and How to prevent installation of removable devices.
Removable media
This is any type of storage device that can be removed from a device while the system is in operation (running). Here are a few examples of removable media. For security best practice, it is advisable to disable this functionality. Because it makes it easy for a user to move data from one computer to another.
Optical Discs (Blu-Ray discs, DVDS, CD-ROMs) Memory Cards (Compact Flash card, Secure Digital card, Memory Stick) Zip Disks/ Floppy disks USB flash drives External hard drives (DE, EIDE, SCSSI, and SSD) Digital cameras Smart phones Other external/dockable devices which contain removable media capabilities
I will be performing this demonstration using the Local Group Policy to prevent users from writing or reading files and folders from a removable drive. Kindly follow the steps below.
Type run in the Windows Search box as shown below
- Click on the Run App
In the Run dialog window, type in “gpedit.msc” as shown below and
– Click on ok
This will open the group policy editor, navigate through the following paths and click on Removable Storage Access.
- Click on the User Configuration,
- click Administrative Template to expand the menu.
- Click on System, and
- Click on Removable Storage Access
In the Removable Storage Access list, numerous policies allow you to block the use of different types of storage classes as shown below.
- CD and DVD: Deny execute access. - CD and DVD: Deny read access. - CD and DVD: Deny write access. - Custom Classes: Deny read access. - Custom Classes: Deny write access. - Floppy Drives: Deny execute access. - Floppy Drives: Deny read access. - CD and DVD: Deny execute access. - CD and DVD: Deny read access. - CD and DVD: Deny write access. - Custom Classes: Deny read access. - Custom Classes: Deny write access. - Floppy Drives: Deny execute access. - Floppy Drives: Deny read access. - Floppy Drives: Deny write access. - Removable Disks: Deny execute access. - Removable Disks: Deny read access. - Removable Disks: Deny write access. - All Removable Storage classes: Deny all access. - All Removable Storage: Allow direct access in remote sessions. - Tape Drives: Deny execute access. - Tape Drives: Deny read access. - Tape Drives: Deny write access. - Windows Portable Device – this class includes smartphones, tablets, players, etc. - WPD Devices: Deny write access.
Here is a screenshot of the steps below, the most powerful restrict policy below highlighted “All Removable Storage Classes”: Deny All Access .
This policy allows you to deny access to all types of external storage devices. As you can see, there is currently no restriction configured.
Furthermore, To configure this, double click on All Removable Storage classes: Deny all access and enable it as shown below.
To ensure, the GPO takes effect immediately, run gpupdate /update from the command prompt or sign-out and sign-in again.
I hope you found this blog post helpful on how to restrict access to removable Storage Drives [Part 2]. If you have any questions, please let me know in the comment session.
