How to Block USB drives with Group Policy

It is best endpoint security practice for an organization to control USB/Endpoint devices being used within the organizational boundaries. This is to ensure that company information is not loosely handled and that an organization is compliant with any legislation and regulations. USBs are prevalent in the office and employees can simply use their device to transfer company files to it.

Employees can be negligent and lose the device with company information in it, which can become dangerous for the organization if taken by the wrong hands. Overall USB devices pose a real security threat to a company.

There are two ways an organization can disable USB devices – using group policy with a domain controller or by using endpoint protection software. The latter is a more favorable solution due to some disadvantages of Group Policy Objects.

In this article, we will discuss how to use Group Policy Objects to disable USB and its disadvantages, as well as an alternative solution using endpoint protection software.

Creating a Group Policy to disable USB

Create a group policy object to store the policy you wish to impose in your domain.

  1. Launch the Group Policy Management tool on the domain controller
  2. Right-click Group Policy Objects, click New
  3. Enter a name for the GPO and click OK
  4. Right-click the policy and click Edit.

    Adding Policies to the Group Policy Object
  5. Group Policy Management Editor
  6. Navigate to Computer ConfigurationPoliciesAdministrative TemplatesSystemRemovable Storage Access
  7. Right-click on All Removable Storage classes: Deny all access, click Edit.
  8. Click Enabled and click Apply and then OK

    Linking the Group Policy Object
  9. Right-click on the OU
  10. Click Link an Existing GPO
  11. Select the GPO you created and click OK

    Updating the Group Policy
  12. The last step is to update the group policy using the command line gpupdate /force.

3 Disadvantages of using Group Policy to Block USBs

Although applying group policies is a useful way to control the usage of USB storage devices in an organization, there are disadvantages that should not go unnoticed. Here are some of the pitfalls to using GPOs you want to consider before depending on it for data security in your organization.

1. Complex to setup

The Group Policy Object editor can be very complexed from a user interface perspective. Navigating and understanding all the functionalities of the editor is not quite intuitive. From an organizational standpoint, the knowledge and expertise to administer and modify USB restriction policies in your network might not be readily available. Additionally, applying different USB restrictions to different departments and users in your organization can get complicated and difficult to track such changes.

2. Bog down Network Traffic

Group Policy Objects have mandatory updates that occur between every 1 to 2 hours or when a PC is rebooted. You can modify the periodic updates from every 0 minutes to 45 days. If you adjust the GPOs to have these updates occur every second, all the computers within your network will attempt to update the GPO every 7 seconds. This will affect your network with an abundance of traffic which could hinder network performance.

3. Vulnerable to Hackers

Group Policy Object editor can be maliciously modified by an attacker if there is an infected and infiltrated computer within your network. Once an attacker has infiltrated your network, they might try to thwart security by changing local group policy objects on the infiltrated computer. One example is taking over a locked local Administrator account on an infected computer by modifying the Group Policy Object. An attack can also enable less secure and vulnerable network protocols with Group Policy Object, allowing other users to access their USB devices.

Alternative Solution:

AccessPatrol – Endpoint Protection Software 

Although Group Policy Objects is a readily available solution to block USB connections and prevent data loss in your organization, it is not the most intuitive and effective method.

AccessPatrol is an endpoint protection software that is a more reliable solution for data loss prevention than Group Policy Objects. Considering the number of data breaches that have occurred in the U.S alone (1,244 in 2018), many organizations both public and private, small and big have invested in endpoint protection software such as AccessPatrol.

How to use AccessPatrol to Block USBs

  1. Install the CurrentWare Console by running the CurrentWare.exe file and select AccessPatrol
  2. Install the CurrentWare Client agents on your employees’ computers by either using the cwClientSetup.exe file to install the CurrentWare Client locally or by deploying the client using Remote Client Install or Active Directory.
  3. On the CurrentWare console select the folder/group of your computers.
  4. Go to Device Blocking and choose the devices to set the restriction and Click on No Access.

For more information view our AccessPatrol user guide here

Advantages of AccessPatrol

As mentioned above, Group Policy Objects have many disadvantages that make endpoint protection software such as AccessPatrol more favorable than Group Policy Objects when it comes to USB blocking and data protection. 

Intuitive Data Loss Solution

Navigating through AccessPatrol and applying device restrictions on computers in your network is very simple. You can easily apply different restrictions on a computer-basis or user-basis, allowing you to have different departments with different levels of access to USB devices.

Minimal technical expertise is required to implement this software and apply restriction policies within your organization. There is also a technical support team that can assist with any issues or inquiries on the software.

Instant Policy Updates

Updating your levels of access on USB and other endpoint devices within your organization using AccessPatrol occurs instantaneously. This becomes quite useful in cases where exceptions are needed and need to be made immediately. Unlike Group Policy Objects, you do not have to wait for updates to occur and do not have to worry about network traffic.

Securely Protect your Organization

AccessPatrol is a secure solution that uses an agent that is installed in computers within your organization. This agent applies the endpoint device restriction policies to the computers in your network.

This agent is securely placed in whatever computer it is installed in and it is difficult to remove from an end-user standpoint.

Andy Phan
Andy Phan
Technical Specialist at CurrentWare - Fitness and Technology enthusiast, amateur volleyball player.