top of page
Search

Lockdown USB in user context via Group Policy

In many organisations use of USB-devices (flash drives, USB HDDs, SD cards and so on) are blocked for security reasons to prevent security leakage of confidential data and the penetration of viruses into the internal network. This article explains how to block USB access for all users and allow only for specific admin users. The methods used in this article are done via Group Policy. Pre-requisite: Domain Controllers on Windows Server 2008 and higher.

Let’s assume that we want to apply the policy to OU named Workstations. Firstly, we need to create a new Group Policy from the management console (gpmc.msc). Right-click on OU Workstations and select Create a GPO in this domain and Link it here.

Right click the Disable USB GPO and choose Edit.

Removable devices can be blocked either in user context or computer context of the GPO:

  1. User Configuration -> Policies -> Administrative Templates -> System -> Removable Storage Access. (OR)

  2. Computer Configuration -> Policies -> Administrative Templates -> System -> Removable Storage Access.

Note: If you configure the Removable storage access policies under Computer Configuration, it applies to all machines and if you configure this policy under User Configuration, it applies to all users and not the machines. In an environment where users log into any machine (roaming) applying the policy under user context would be the best method to block USB. The caveat under user context would be that any user who has admin permissions (power users, administrators) can override the settings applied by GPO.

Enable the setting All Removable Storage Classes: Deny all access

Now that the setting is applied, if any USB device is connected you will get the below error message.

Now as mentioned earlier in this post, if a user has admin rights, he/she can launch Local Group Policy (gpedit.msc) and allow Removable Devices under Computer Configuration which will override the user context settings we applied above. It is recommended that you block access to gpedit.msc and also modify the permissions for the USBSTOR key in registry so that users do not tamper and override any settings applied by IT admins. Block gpedit.msc for users (with admin permissions) In the same Workstations OU create another GPO and browse to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Management Console > Group Policy and Disable the Group Policy Object Editor.

Now select the Delegation tab for the Disable USB GPO and for the Domain Admins Deny the Apply Group Policy option. This will ensure that Domain admins are not affected by the USB block. If you need to allow USB for a set of users/admins, put them into a security group and add it to the delegation tab of the Disable USB GPO with Apply Group Policy option as ‘Deny’.

Once gpedit.msc is blocked, users will not be able to access it even though they have admin access and only the Domain Admins or any other specific group members whom you denied the group policy to be applied will have access.

Message when blocked by GPO

Block access to USBSTOR key To change the permissions for USBSTOR key and prevent users to modify the key values here’s what you need to do:

  1. Edit the Group policy object where you want to configure the settings

  2. Navigate to Computer Configuration > Policies > Windows Settings > Security settings.

  3. Right-click Registry and select Add Key

  4. Browse down to windows\system32\usbstor key and click OK

  5. You will now be prompted with the security tab, make the desired changes (deny access for SYSTEM account and allow only Domain Admins or any other specific group you would like to allow and click OK.

  6. Select if you want the permissions to be inheritable or not and click OK

By following the methods mentioned above you can implement a USB lockdown based on user context.

17 views0 comments

Recent Posts

See All
bottom of page