How to Restrict Access to USB Drives

I will be performing this demonstration using the Local Group Policy. In subsequent tutorials, I will cover GPO implementation using the Group Policy Management Console.

Note: Most at times. when a USB device is connected to the computer, Windows automatically detects the device, it installs all needed driver automatically. This implies a USB can be readily used thereby leading to a security breach. Because of this, I will be blocking access to USB, thereby preventing security leakage of confidential data and also the possible attacks of viruses into the network.

Type run in the Windows Search box as shown below
- Click on the Run App

In the Run dialog window, type in “gpedit.msc” as shown below and
– Click on ok

This will open up the Local Group Policy Windows Editor and follow the steps list below to open up the “Device Installation Restriction” List as shown below.

- Click on the User Configuration, 
- click Administrative Template to expand the menu.
- Click on System, and 
- Clcik on Removable Storage Access

In the Removable Storage Access list, there are numerous policies allowing you to block the use of different types of storage classes as shown below.

- CD and DVD: Deny execute access.
- CD and DVD: Deny read access.
- CD and DVD: Deny write access.
- Custom Classes: Deny read access.
- Custom Classes: Deny write access.
- Floppy Drives: Deny execute access.
- Floppy Drives: Deny read access.
- CD and DVD: Deny execute access.
- CD and DVD: Deny read access.
- CD and DVD: Deny write access.
- Custom Classes: Deny read access.
- Custom Classes: Deny write access.
- Floppy Drives: Deny execute access.
- Floppy Drives: Deny read access.
- Floppy Drives: Deny write access.
- Removable Disks: Deny execute access.
- Removable Disks: Deny read access.
- Removable Disks: Deny write access.
- All Removable Storage classes: Deny all access.
- All Removable Storage: Allow direct access in remote sessions.
- Tape Drives: Deny execute access.
- Tape Drives: Deny read access.
- Tape Drives: Deny write access.
- Windows Portable Device – this class includes smartphones, tablets, players, etc.
- WPD Devices: Deny write access.

Here is a screenshot of the steps below.
Note: The most powerful restrict policy below highlighted in red “All Removable Storage Classes”: Deny All Access . This policy allows you to deny access to all types of external storage devices. As you can see, there is currently no restriction configured.

To enforce the restriction, double click or right-click on any of your desired policy. For me, I will be double clicking on the Removable Disks: Deny execute access.
– Click on Enabled and finally
– Click on Okay.

To ensure, the GPO takes effect immediately, run gpupdate /update from the CLI.