How to use Group Policy to deny executing, writing and/or reading on removable disks

usbThumbRemovable memory sticks are the back door for data in any organisation. BitLocker to Go can do some way to controlling this vector however you might want to simple close off all access to removable drives for all your users. So if you are running Windows 7 you will be glad to know there are a heap of Windows 7 GPO setting that allows you to control access to your removable devices.

Even better there is a deny execute access policy setting prevents your users the running on BYO applications such as Firefox Portable and even some malicious software via USB sticks.

image

While most of the device types seem obvious, the WPD Device allows you to control access “to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.”.

You can even configure the “Time (in seconds) to force reboot” which will enforce the change once it is applied to the computer.

These policy setting can be found under Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access.

Its the best thing to control access to USB storage device since the invention of the hot glue gun….

Author: Alan Burchill

Microsoft MVP (Group Policy)

4 thoughts on “How to use Group Policy to deny executing, writing and/or reading on removable disks

Leave a Reply