Before we proceed, let us define some key terms.
Removable media: This is any type of storage device that can be removed from a device while the system is in operation (running). Here are some few examples of removable media. For security best practice, it is advisable to disable this functionality as it makes it easy for a user to move data from one computer to another.
Optical Discs (Blu-Ray discs, DVDS, CD-ROMs) Memory Cards (Compact Flash card, Secure Digital card, Memory Stick) Zip Disks/ Floppy disks USB flash drives External hard drives (DE, EIDE, SCSSI, and SSD) Digital cameras Smart phones Other external/dockable devices which contain removable media capabilities
I will be performing this demonstration using the Local Group Policy to prevent users from writing or reading files and folders from a removable drive. Kindly follow the steps below.
Type run in the Windows Search box as shown below
- Click on the Run App
In the Run dialog window, type in “gpedit.msc” as shown below and
– Click on ok
This will open the group policy editor, navigate through the following paths and click on Removable Storage Access.
- Click on the User Configuration,
- click Administrative Template to expand the menu.
- Click on System, and
- Click on Removable Storage Access
In the Removable Storage Access list, there are numerous policies allowing you to block the use of different types of storage classes as shown below.
- CD and DVD: Deny execute access. - CD and DVD: Deny read access. - CD and DVD: Deny write access. - Custom Classes: Deny read access. - Custom Classes: Deny write access. - Floppy Drives: Deny execute access. - Floppy Drives: Deny read access. - CD and DVD: Deny execute access. - CD and DVD: Deny read access. - CD and DVD: Deny write access. - Custom Classes: Deny read access. - Custom Classes: Deny write access. - Floppy Drives: Deny execute access. - Floppy Drives: Deny read access. - Floppy Drives: Deny write access. - Removable Disks: Deny execute access. - Removable Disks: Deny read access. - Removable Disks: Deny write access. - All Removable Storage classes: Deny all access. - All Removable Storage: Allow direct access in remote sessions. - Tape Drives: Deny execute access. - Tape Drives: Deny read access. - Tape Drives: Deny write access. - Windows Portable Device – this class includes smartphones, tablets, players, etc. - WPD Devices: Deny write access.
Here is a screenshot of the steps below, the most powerful restrict policy below highlighted “All Removable Storage Classes”: Deny All Access .
This policy allows you to deny access to all types of external storage devices. As you can see, there is currently no restriction configured.
To configure this, double click on All Removable Storage classes: Deny all access and enable it as shown below.
To ensure, the GPO takes effect immediately, run gpupdate /update from the command prompt or sign-out and sign-in again.
To have this done via a script, see the following link https://www.tenforums.com/antivirus-firewalls-system-security/140041-disable-access-all-removable-storage-devices.html