I have seem many people asking how to block the use of USB memory sticks so people can't use them to transfer files on or off of a PC This how-to will give you a simple effective and free way to block these as well as other forms of removable media on a windows computer.
Create
a GPO
The first step is to open Group
Policy Management and create a new GPO.
I typically like to create 2 GPO's
One for blocking read access and one for blocking write access.
By Creating 2 separate policies I
can apply each individually so I can allow read access for certain groups of
users while blocking write access and I can apply both policies to other groups
so I can block all access.
The policy we are about to create is
user based This means that it will apply to the users and not the computer.
This means we can block access as need for normal users on a computer while
still allowing access for other users like say IT (ourselves) so we can still
do our thing without any issues.
These policies apply to all forms of
removable media not just USB based media. therefor you can use them to block
other media access such as CD and DVD access as well.
Set the Desired Policy Items
In your GPO browse to the following
location.
User Configuration >> Policies
>> Administrative Templates >> System >> Removable Storage
Access
If you look through the list of
options you will see 2 choices for each media type. One choice when enabled
blocks write access and the other choice blocks read access.
In my attached image i show an
example of blocking all read access.
Therefor to block read access to
each of these media types simply enable the deny read access item for each.
If you want to block write access enable the block write access options.
If you want to block both the enable both options.
If you want to block write access enable the block write access options.
If you want to block both the enable both options.
Its really that simple.
----------------------------------------------------------------
Note:
For some reason Digital cameras require both read and write access. So if you have users that need access to a digital camera directly through the camera's USB connection they will need read and write access. Even if all they want to do is read files from the camera. However if you remove the memory card from the camera and read it with a memory card reader it only needs read access as expected.
Note:
For some reason Digital cameras require both read and write access. So if you have users that need access to a digital camera directly through the camera's USB connection they will need read and write access. Even if all they want to do is read files from the camera. However if you remove the memory card from the camera and read it with a memory card reader it only needs read access as expected.
Apply the GPO
Now that you have created your GPO
Policy (or policies if you want more granular control like I did) all that you
need to do is apply the GPO to the Users you wish to restrict removable media
for by assigning it the correct OU's.
Once
applied simply wait for the policy to update on the users computer or run
"gpupdate /force" to speed things up and test it out.
Conclusion
This is a simple and reliable way to
control user access to removable media for users with the bonus of still being
able to allow yourself or other special users of your choice the ability to use
that same removable media
No comments:
Post a Comment