In this article, we shall discuss “Deny execute access: Restrict Access to USB Drives on Windows”. A USB flash drive is a data storage device that includes flash memory with an integrated USB interface. I will be performing this demonstration using the Local Group Policy. In subsequent tutorials, I will cover the implementation using the Group Policy Management Console which can affect numerous PCs. Please see How to restrict access to removable Storage Drives, How to prevent installation of removable devices, and how to Restrict IP Address Range on Windows PC.
Note: Most at times, when a USB device is connected to the computer. Windows automatically detects the device, and installs all needed drivers automatically. This implies that a USB can be readily used thereby leading to a security breach.
Because of this, I will be blocking execute access to USB. Thereby preventing security leakage of confidential data and also the possible attacks of viruses into the network. Please see how to restrict access to removable Storage Drives [Part 2]
Also, see how to Disable and Enable USB Usage for Certain Users in Windows, how to link a removable media to a Deployment Share: Replicate Deployment share to a removable device, and steps to Creating a WinPE USB Drive: Fixing System Boot Issues.
Blocking access to USB on Windows
Type run in the Windows Search box as shown below. Click on the Run App
In the Run dialog window, type in “gpedit.msc” as shown below and click on ok
Device Installation Restriction
This will open up the Local Group Policy Windows Editor and follow the steps list below to open up the “Device Installation Restriction” List as shown below.
Click on the User Configuration, then Administrative Template to expand the menu. Click on System, and click on Removable Storage Access
In the Removable Storage Access list, there are numerous policies allowing you to block the use of different types of storage classes as shown below. You are free to choose what policy you want from this list.
- CD and DVD: Deny execute access.
- CD and DVD: Deny read access.
- CD and DVD: Deny write access.
- Custom Classes: Deny read access.
- Custom Classes: Deny write access.
- Floppy Drives: Deny execute access.
- Floppy Drives: Deny read access.
- CD and DVD: Deny execute access.
- CD and DVD: Deny read access.
- CD and DVD: Deny write access.
- Custom Classes: Deny read access.
- Custom Classes: Deny write access.
- Floppy Drives: Deny execute access.
- Floppy Drives: Deny read access.
- Floppy Drives: Deny write access.
- Removable Disks: Deny execute access.
- Removable Disks: Deny read access.
- Removable Disks: Deny write access.
- All Removable Storage classes: Deny all access.
- All Removable Storage: Allow direct access in remote sessions.
- Tape Drives: Deny execute access.
- Tape Drives: Deny read access.
- Tape Drives: Deny write access.
- Windows Portable Device – this class includes smartphones, tablets, players, etc.
- WPD Devices: Deny write access.
Here is a screenshot of the steps below. The most powerful restrict policy below highlighted in red “All Removable Storage Classes”: Deny All Access .
This policy allows you to deny access to all types of external storage devices. As you can see, there is currently no restriction configured.
However, To enforce the restriction, double-click or right-click on any of your desired policy. You can also use “ Removable Disks: Deny execute access ” policy to disable execute access to USB drive or all types of removable storages.
Note: In addition, the “Removable Disks: Deny execute access” policy setting in Windows is a security measure that prevents executable files from running on removable storage devices like USB drives. When this policy is enabled, any attempt to execute a program or script from a removable disk will be blocked.
Removable Disks: Deny execute access
For me, I will be double clicking on the Removable Disks: Deny execute access. Click on Enabled and finally, and click on Okay.
Furthermore, To ensure the GPO takes effect immediately, run gpupdate /update from the CLI.
Please see How to Disable and Enable USB Usage for Certain Users in Windows, What is GPO and how can it be launched in Windows, and Group Policy GPUpdate Commands.
Disable Access to Removable Storage Devices for All Users with Windows Registry
To do this, launch the Windows Registry Editor, and navigate to the following key, and Double-click on Deny_All and set the value data to 1 to disable access.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices
If not present. Create and set the "Deny_All"=dword:00000001This approach is useful in preventing malware or unauthorized software from being run from external devices. Thereby enhancing the overall security of your system.
I hope you found this article on “Deny execute access: Restrict Access to USB Drives on Windows” very useful. Please feel free to leave a comment below.
