Need to block USB devices? In this article you will learn how to block USB drives with Active Directory Group Policy Objects (GPO). We will also compare using a GPO vs dedicated device control software for enforcing your removable media control policies.
AccessPatrol is a device control software solution for preventing data loss to portable storage devices. In this video CurrentWare’s managing director Neel Lukka provides an overview of the features available in AccessPatrol.
🔒 Block USB flash drives, external hard drives, and other peripheral devices
🔒 Monitor USB activities including file transfers and what devices have been used
🔒 Get DLP alerts sent to your inbox when high-risk USB activities occur
AccessPatrol’s security policies are enforced by a software agent that is installed on your employee’s computers. This keeps devices restricted and monitored even when the computers are taken off of the network.
AccessPatrol can block or limit the use of more than just USB storage devices. For full USB control, device permissions can be easily configured based on computer, user, or workgroup.
|Device Class||Devices||Access Permissions|
|Storage Devices||USB||Full / Read only / No access|
|DVD /CD||Full / Read only / No access|
|Floppy||Full / Read only / No access|
|Tape||Full / Read only / No access|
|External Hard drive||Full / Read only / No access|
|Firewire||Full / Read only / No access|
|SD Card||Full / Read only / No access|
|MM Card||Full / Read only / No access|
|Wireless Devices||Bluetooth||Full / No access|
|Infrared||Full / No access|
|Wifi||Full / No access|
|Communication Ports||Serial||Full / No access|
|Parallel||Full / No access|
|Imaging Devices||Scanners||Full / No access|
|Cameras, Webcams & Others||Full / No access|
|Others||Printers||Full / No access|
|USB Ethernet Adapter||Full / No access|
|Sound Cards||Full / No access|
|Portable Devices (iPhones, Mobiles)||Full / No access|
|Network Share||Full / No access|
With AccessPatrol, blocking USB devices is as simple as a few clicks.
Create a group policy object to store the policy you wish to impose in your domain.
With AccessPatrol, blocking specific USB devices is as simple as a few clicks.
With AccessPatrol’s Allowed List you can block USB devices and other peripherals while allowing specific authorized removable media devices.
Administrators can use AccessPatrol’s Device Allowed List to establish a list of devices that their end-users can use on company devices, even when USB ports are disabled.
You can choose to allow devices by the following identifiers:
Device whitelisting is configured on a per-folder basis. Devices that are added to the allowed list for a given folder will apply to any computers that are in the specified folder. AccessPatrol’s allowed list supports USBs, External Hard drives, Imaging devices, and portable devices.
Note: Allowing a device by serial number is fully compatible with Windows 10. For Windows 7 or 8, some newer models of USB devices may not support this feature. Instead of allowing by serial number, it will allow all devices from the same vendor and model.
NOTE: This feature doesn’t work in N editions of Windows 10 Pro.
AccessPatrol allows you to prevent specific files from being transferred to external devices based on their filename or file extension.
This feature is not available in Group Policy
With AccessPatrol, blocking USB devices is as simple as a few clicks.
Microsoft has released instructions on monitor the use of removable storage devices with group policy.
If you configure this policy setting, an audit event is generated each time a user attempts to copy, move, or save a resource to a removable storage device.
Auditing USB device usage in this way involved manually combing through event logs in search of specific event IDs, such as event 4663, which logs successful attempts to write to or read from a removable storage device.
AccessPatrol can grant temporary access to blocked devices using it’s access code generator.
Administrators and authorized managers can use the generator to produce a single-use code that provides users with a set duration where the computer’s USB ports are no longer disabled by AccessPatrol.
The access code is unique to each computer that you generate for and the computers do not need to be connected to the internet to use it. So long as the CurrentWare client is installed on the employee’s computer they can be provided with temporary access to USB devices.
Group Policy does not support temporarily bypassing GPOs for a set period of time.
To temporarily allow access to USB devices you will need to manually disable the GPO and manually re-enable it when the end-user no longer requires access to USB devices.
To do this, open the the Group Policy Management Console (GPMC), right click the USB blocking GPO under the OU and uncheck the option “Link Enabled”.
To reenable the GPO, simply repeat the process and recheck “Link Enabled”
Get started today—Download the FREE template and customize it to fit the needs of your organization.
Although applying group policies is a viable way to control the use of USB storage devices in an organization, there are disadvantages that should not go unnoticed. Here are some of the pitfalls to using GPOs you want to consider before depending on it for data security in your organization.
Using the Group Policy Object Editor to manage USB security policies can be overwhelming for those without a background in Active Directory and Group Policy management. From an organizational standpoint, the time and expertise needed to to administer and modify USB restriction policies in this way might not be readily available. The complexity of GPOs is further compounded when it comes to applying unique USB restrictions to different departments, computers, and users in your organization.
With AccessPatrol blocking USB devices is as easy as a few clicks. The time savings from not having to manually create and manage GPOs allows IT pros to focus their time on higher value tasks. Should USB restriction policies need an update the task can be readily delegated to someone with access to an authorized (and uniquely restricted) Operator account.
Group Policy Objects have mandatory updates that regularly occur at a set interval or when a PC is rebooted. You can modify the length of time between updates, however misconfigurations will bog down your your network with an abundance of traffic.
With CurrentWare’s lightweight server and client your AccessPatrol USB security policies will seamlessly update without hogging bandwidth and system resources.
Group Policy only supports domain-joined machines in a traditional Active Directory environment. In mixed environments where IT pros need to manage both domain-joined and non-domain-joined machines, having AccessPatrol as a dedicated USB control software provides critical security controls for all of their managed devices.
Ready to take back control over USB device usage in your organization? Get started today with a FREE trial of AccessPatrol, CurrentWare’s device control software.