It might be necessary to restrict access to removable devices mainly due to security. By restricting the USB ports you can make sure that unauthorized contents remain safe in your computer. Another point is that USB thumb drives are a major source of viruses. You can achieve this in one of the following ways.
1. Using Registry Editor (regedit)
If the USB storage device is already installed in system:
Type regedit in RUN dialog box and press Enter. Now go to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
In right-side pane, change value of "Start" to 4Now whenever a user will attach a USB storage device which is already installed in system, Windows will not detect it and it'll not
be shown in My Computer.
2. Using Windows System File (C:\Windows)
If the USB storage device is not installed in system:
In a number of environments users should not be able to mount any local removable storage. While Group Policy is typically the best way to keep users from mounting said storage, you can also do so without assigning GPOs. Simply make the permissions on the following files set to Deny (assuming your c:\Windows directory = %SystemRoot%):
C:\Windows\Inf\Usbstor.pnf
C:\Windows\Inf\Usbstor.inf
You may also need to add the System account to the Deny list for those files, but in my experience you don’t always need to do so.
3. Using Group Policy Editor (gpedit.msc)
For both installed and not installed devices.
The following procedure describes how to disable access of USB storage devices through Group Policy Editor.
First go to the following location -
Computer Configuration -> Administrative Templates -> System -> Removable Storage Access
and enable the options below
Custom Classes: Deny read access
Custom Classes: Deny write access
Removable Disks: Deny execute access
Removable Disks: Deny read access
Removable Disks: Deny write access
All Removable Storage Classes: Deny all access
All Removable Storage Classes: Allow direct access in remote sessions (DISABLE THIS OPTION)
WPD Devices: Deny read access
WPD Devices: Deny write access
The above procedure prevents access to removable devices but does not prevent installation. To do that apply the next procedure.
Now go to the following location
Computer Configuration -> Administrative Templates -> System -> Device Installation -> Device Installation Restriction
and enable the following options -
Prevent installation of removable devices
Display a custom message when installation is prevented by a policy setting (set this message 'Restricted by Policy')
For more info read the following articles
No comments:
Post a Comment