How to Disable USB Ports & Block USB Mass Storage Devices

A 32 gigabyte USB flash drive sitting on top of a computer keyboard

Want to control the use of unauthorized USB devices in your network? In this guide you will learn how to disable USB ports with three different methods: Using dedicated device control software to disable USB ports, Windows Device Manager, and Group Policies through Active Directory.

With these USB drive blocking methods you’ll be able to disable USB ports in Windows 10, Windows 7, and other Windows operating systems.

AccessPatrol is a device control software solution that protects sensitive data against theft to portable storage devices.

AccessPatrol keeps data secure by…

Preventing users from stealing data or transferring malicious files with easily concealed USB flash drives
Maintaining auditable records of file transfers to portable storage devices, and…
Triggering real-time alerts when security policies are violated

AccessPatrol’s central console allows you to apply security policies and run reports on your user’s USB activities from the convenience of a web browser.

The security policies are enforced by a software agent that is installed on your user’s computers. This keeps devices restricted and monitored even when the computers are taken off of the network.

Here’s an overview of AccessPatrol’s key features.

Under Device Permissions you can assign unique device control policies for specific groups of computers or users.

AccessPatrol controls a variety of peripherals, including…

Storage devices such as USB flash drives and external hard drives
Wireless Devices such as Bluetooth, Infrared, and WiFi
Communication Ports such as Serial and Parallel ports
Imaging Devices such as Scanners or Cameras, and…
Other Devices such as network share drives, printers, and mobile phones

Under the allowed list you can specify trusted devices that can be used on your computers.

If you need to temporarily lift device restrictions for devices that aren’t on the allowed list, you can use the access code generator.

This allows you to set a time-limited policy exemption for a specific computer. The access code generator does not require internet access to work, making it the ideal solution for travelling users and other special circumstances.

To further protect sensitive data, AccessPatrol allows you to block file transfers based on file names and extensions. This ensures that even allowed devices can’t transfer sensitive data.

AccessPatrol also includes a variety of USB activity reports to help organizations audit data transfers and peripheral device use.

These reports provide insight into…

All files that have been copied, created, renamed, or deleted on USB storage devices, and…
A timestamped device history for each user, including attempts to use blocked devices

AccessPatrol’s reports can be generated on-demand, on a set schedule, or automatically sent to your inbox to alert you of specific events.

Don’t let a preventable data leak ruin your organization. Take back control over portable storage devices with a free trial of AccessPatrol.

Get started today by visiting CurrentWare.com/Download

If you have any questions during your evaluation our technical support team is available to help you over a phone call, live chat, or email.

Thank you!

Get My Free Trial

Learn More

Table of Contents

Click to Show / Collapse

Why Disable USB Ports?
How to Block USB Storage Devices With AccessPatrol

Devices That Can Be Controlled With AccessPatrol
How to Prevent Specific Files From Being Transferred to External Devices
Disable USB Ports For Mass Storage Devices Only
How To Whitelist A Specific USB Device

How to Use the Device Manager to Disable USB Ports
How to Disable USB Ports Using Group Policy
Conclusion

Why Disable USB Ports?

Prevent Data Theft

Your employees have intimate access to corporate data and knowledge of internal systems. Without proper access control measures stealing data is as simple as transferring it to a portable mass storage device such as a USB flash drive.

Flash drives are capable of storing greater than 1TB of data, which is more than sufficient for exfiltrating databases, spreadsheets, design files, and any other intellectual property that needs to be protected.

One use of Data Loss Prevention (DLP) software is blocking the copying of files to a USB flash drive. This prevents employees from using their privileged position to steal sensitive information such as trade secrets and personally identifiable information.

data theft prevention - a guide to offboarding employees - CurrentWare

The employee offboarding process presents significant data security risks. Employees have intimate access to corporate data, insider knowledge of the organization’s systems, and a level of trust that can allow them to steal data undetected.

70% of intellectual property theft occurs within the 90 days before an employee’s resignation announcement
88% of IT workers have stated that they would take sensitive data with them if they were fired
72% of CEOs admit they’ve taken valuable intellectual property (IP) from a former employer
50% of respondents in a Symantec survey say they have taken information, and 40% say they will use it in their new jobs

These vulnerabilities need to be addressed as part of any insider threat management program. Click the button below to learn the best practices for protecting data during a termination and gain access to a downloadable IT offboarding checklist.

Gain Access Now

Protect Endpoints Against USB Malware

USB devices can unknowingly infect company computers with ransomware and other malicious software. Disabling USB ports protects endpoints against rogue USB devices by proactively preventing the transmission of malicious files.

How to Monitor USB Activities

Hey everyone, this is Dale here. I am the Digital Marketing Manager for CurrentWare.

In today’s video, I’d like to show off the new USB activity dashboards introduced to AccessPatrol in version 7.0.

These dashboards provide a convenient overview of the peripheral device usage of your entire workforce as well as specific groups or users—all from the convenience of a web browser.

They work in tandem with AccessPatrol’s device control features and USB activity reports to protect sensitive data against the security risks of portable storage devices.

Today’s video is just a sneak peek of what AccessPatrol is capable of; as time goes on you can expect to see further enhancements and data points added to these dashboards.

At this time, AccessPatrol can track activities from the following peripherals:

Portable storage devices such as USB flash drives, external hard drives, optical discs, tape drives, and SD cards
and Mobile devices including smartphones, PDAs, and tablets

This device usage data is used to populate various graphs across AccessPatrol’s dashboards. You can further refine how granular this data is by limiting the time frame, selecting only specific groups, and even investigating individual users.

Having these metrics available at a glance makes detecting potential insider threats far more efficient as your organization scales.

Any groups or users that need to be reviewed further can be investigated using the more granular dashboards and AccessPatrol’s device activity reports.

For a more proactive approach to insider threat management you can set up targeted alerts that will notify designated staff members when these high-risk activities occur.

For the most up-to-date information on AccessPatrol’s activity tracking and data loss prevention capabilities, visit our knowledge base at CurrentWare.com/Support or visit the AccessPatrol product page at CurrentWare.com/AccessPatrol

In the overview dashboard you can review the following metrics:

File Operations that happened over the selected time period, including the number of files that have been copied/created, the number of files that have been deleted, and the number of files that have been renamed/saved as.
Overall Device Activities, with a breakdown of how many of the peripherals were authorized and how many were blocked from use.
The Top 5 File Types graph shows the most common file types that are copied/created or deleted to and from portable storage devices
The Top 5 Device Types graph shows the most common classes of peripheral devices that are blocked and allowed
The Top 5 Files Operations graph shows which groups or users have the greatest number of files that have been Copied/Created and Deleted to and from portable storage devices
The Top 5 Devices Activities graph shows which groups or users have the greatest number of Blocked and Allowed devices.
And finally, The Activity Log provides access to the raw data, with controls to show and hide certain columns, filter and sort data, conduct searches, and export the data to an Excel spreadsheet or PDF. Each dashboard has their own Activity Log with columns that are relevant to that specific dashboard.

Moving on to the Files Dashboard you will see…

A timeline of file operations that shows the relationship between the various operations over the course of the selected time period. This can be used to search for patterns in anomalous device usage, such as peaks in file transfers outside of regular operating hours.
You will also see graphs with the Top File Types Copied/Created to internal hard drives and external devices
Below that, we have graphs that show the users or groups that have Copied/Created or Deleted the most files
And, just like the overview dashboard, there is an Activity Log with the raw data.

Finally, we have the Devices Dashboard.

In this dashboard, we have…

A device activities graph that shows a timeline with the number of allowed and blocked devices each day. This can be further refined to show an hourly breakdown of a specific day so you can find out what time your users were attempting to use blocked devices.
Next, we have graphs with the users or groups that have the most allowed and blocked devices activity over the selected time period.
Scrolling down to the Activity Log, we can use the sorting controls to take a closer look at the users that have been attempting to use unauthorized peripherals.

As you can see, we have specific users that are repeatedly trying to use devices that have not been approved for use by the organization.

While this could just be an accidental oversight on the user’s part, there’s a risk that it’s something much more serious.

For example, what if this is actually a disgruntled employee trying to steal trade secrets or sensitive customer data so they can bring it to a competitor, or worse, sell it to cybercriminals on the dark web.

Between the costs associated with a damaged reputation, fines, loss of competitive advantage, and remediation, a data breach like this could completely ruin a company.

Before we confront this employee or send them for retraining, let’s investigate this incident further so we can make an informed decision.

Clicking on this user, we’ll be taken to a dashboard that focuses exclusively on their activity.

Looking at the Devices graph we can see that they have made multiple attempts to use blocked devices.

Scrolling down, we can see that they’ve been trying to use unauthorized portable storage devices.

Since AccessPatrol is currently blocking any devices that are not explicitly allowed, I know that the only way sensitive data is leaving through a USB drive is if it’s a device that we’ve allowed before. So, let’s take a closer look at how they’ve been using their approved devices.

As you can see here, the types of files that they are transferring are more than capable of containing sensitive data; let’s take a look at the file names for more details.

With the Activity Log we can use the filters, sorting, and column options to isolate our view to the entries we’re the most interested in.

Once we find something that looks off, we have more than enough information to confront this employee and take any necessary corrective actions.

Ready to protect your sensitive data against theft to USB portable storage devices? Block and monitor peripheral device usage today with a free trial of AccessPatrol, CurrentWare’s USB control software.

Simply visit CurrentWare.com/Download to get started instantly, or get in touch with us at CurrentWare.com/Contact to book a demo with one of our team members. See you next time!

A departing employee was caught stealing classified files! If we didn’t have AccessPatrol we would never have known.

Learn how Viking Yachts protected their intellectual property from a departing employee in our case study

Read Their Story

How to Disable USB Ports With AccessPatrol

Hi this is Dale from the CurrentWare team.

Today I’m going to show you how to get started with implementing your first USB security policies with AccessPatrol.

This video will cover the key features of AccessPatrol, including:

How to configure device restriction policies, such as restricting removable media to trusted devices only
How to apply unique device restrictions to groups of users or computers
How to temporarily bypass device control policies using the device scheduler and access code generator
How to monitor peripheral device usage for high-risk activity using scheduled reports and USB activity alerts
And finally, examples of the peripheral device activity data that AccessPatrol captures

This demo will be using version 7.0.1 so there may be small differences if you are using another version.

Before watching this video you should already have the CurrentWare web console set up, the CurrentWare Clients installed on the computers you would like to manage, and your users or computers placed in their own policy groups.

For more information on installing CurrentWare and setting up your policy groups, please visit the knowledge base at CurrentWare.com/Support.

To start, decide if you will be managing your organization’s USB security policies based on users or computers.

If you select User mode your policies will apply to the users no matter which managed device they log in to; if you select PC mode your policies will apply to a specific computer.

Whichever mode you have selected is the mode that will have its policies active; you cannot operate in PC mode and user mode simultaneously.

If you are using a terminal server to manage your clients you must use AccessPatrol in PC mode.

Alright, let’s get started!

First, I will show you how to block removable media devices using AccessPatrol’s Device Permissions feature.

From the Manage window, click “Device Permissions”
At the top of the Device Permissions window you will see a drop-down menu. From this menu you will select the group of computers or users that you want to apply the device control policy to.
Then, for each peripheral you want to restrict you will press the drop-down menu and select your desired restriction level.

As of version 7.0.1 the following restrictions are available:

For removable media devices you have three options:

Full Access
Read Only
And No Access

For Bluetooth devices you have:

Full Access
Allow Audio Only
And No Access

For everything else you have Full Access and No Access.

With Full Access selected the computer or user group will be allowed to connect that device type
With Read Only selected the group can open files on the device when it is connected to the computer, but they will not be able to perform file transfers and they will not be able to delete or modify files.
With No Access selected the group cannot read or write to that specified device type; instead, depending on your Warning Message settings either nothing will happen or they will receive a warning message.

In this example I will block USB portable storage devices, CDs/DVDs, and floppy disks on the computers used by our Accounting department.

Once you’ve configured your desired device restriction policies for the selected group, press “Apply” to save your changes. Then, press the “X” button in the top-right corner of the Device Permissions window to close the window.

If you’d like to set unique device restriction policies for each group, simply repeat the same process for each of your groups.

If you’d like to use the same device restriction policies for multiple groups, copy group settings by following these steps:

Press on a group of users or computers to highlight them
Press the three dots that appear next to the group name
Select “copy group settings” to bring up the copy group settings window
At the top of this window you will see the source group; this is the group that you will be copying settings from
On the left-hand side of this window you will see the AccessPatrol settings that can be copied to the other groups.
On the right-hand side you will see the groups that you can copy settings to
In this case, if I want to copy the Device Permissions settings from the Accounting group to the Management group I’d set Accounting as the source group, select “Device Blocking” under the “AccessPatrol Setting” pane, select “Management” from the Destination Groups, then press “Copy”.

Be careful when selecting source and destination groups in the Copy Group Settings window; all of the destination group’s previous settings will be overwritten with the selected settings.

Next, I will show you how to allow specific trusted devices while blocking all others using the Allowed List.

This configuration is ideal if you want to prevent unauthorized devices from being used on your computers or if you only want to only allow certain groups to have access to a particular type of device, such as only allowing IT staff to use removable media devices.

To do this:

Select “Allowed List”
Ensure that the “Enable Allowed List” toggle is active
Use the drop-down menu to select the group you’d like to apply the policy to
Press the “Add from Available devices” button.
The Available Device List window will show you all of the applicable devices that have been inserted into any of your managed computers since you’ve installed the CurrentWare Client. You can identify devices based on Vendor ID, serial number, and PNP device ID.
On the left-hand side you will see all of the computers that have had applicable peripherals attached to them. If you’re searching for a device that was used on a specific computer you can narrow down the available device list by only checking that computer.
If you’re searching for a recently attached device you can sort by the last connected date to easily find the device.
Or you can simply use the search bar
In this case I want to allow two specific USB drives for all of my computers. To do this, I select the devices I want to allow from the Available Devices List, press the white drop-down arrow on the “Add to Allow List” button, then I’ll select “Add to Multiple Groups”
From here I’ll select all of the groups that I want to provide access to the specific devices I selected, I’ll press “Add to Allow List”, then I’ll press “Yes” to confirm.
If I only wanted these two devices to be accessible to a single group, all I have to do is press the “Add to Allowed List” button instead and the group I selected at the previous window will have those devices added to their Allowed List

Now that you have your core USB security policies in place, I’ll show you how to use AccessPatrol’s complementary features.

This section will cover:

Using the Access Code Generator to temporarily bypass device restrictions on a specific computer
Using the Device Scheduler to modify device permissions at a set schedule
And using the Block File Transfers feature to prevent specific files and files with specific keywords from being transferred to removable media devices

The Access Code Generator allows administrators to generate a time-limited single use code for a specific computer or user. These codes can be made on-demand or pre-generated for use within 30 days. The temporary access code does not require internet access to use.

The most common uses for the Access Code Generator are:

Temporarily allowing guests to use portable storage devices on a specific computer
Allowing trusted users to bypass USB security policies in a time sensitive situation when a CurrentWare Operator is not available to add new devices to the allow list
And allowing mobile workers to have temporary device access when they are disconnected from the CurrentWare Server and unable to receive new policy updates

If the user has a connection to the CurrentWare Server you will see when their access code is active under the “Devices Blocked” column in the manage window.

To create an access code:

Select an individual user or computer from the list by clicking the left-most box next to their name
Click “Generate Access Code”
Set an expiration date of up to 30 days
Set how many hours the access code will be active for
Then, click the “Generate” button to generate a unique access code
Press the icon next to the access code to copy it to your clipboard, then share it with the user you generated the code for

To use the access code, your user must:

Browse to their Control Panel
Ensure that “View by” is set to Large icons or small icons
Click “Grant Access to Endpoint Devices”
Then, they’ll enter their access code into the window that pops up

Once your user presses the unlock button they will be completely unrestricted by AccessPatrol for the duration that you set when creating the Access Code. During this time you may want to visit that user’s dashboard and monitor them for suspicious activity; I will show you how to do that in another video.

Next, let’s look at the Device Scheduler.

With the Device Scheduler you can modify the device permissions you have set for storage devices based on daily or weekly schedules. Any USB control policies you implement in the Device Scheduler will override the restrictions you placed in the Device Permissions window.

Here are some ways you can use the device scheduler:

Allow devices to be used during work hours only
Block storage peripherals during office hours, but enable them while the office is closed to allow automated local data backups.
Or, in high security environments you can narrow the window of time that portable storage devices can be used to ensure that all use is carried out under supervision

Once you’ve added your desired device schedules, return to the main window and set the toggle for “Enable Device Scheduler” to active.

Next, I’ll show you how to use the Block File Transfers feature to prevent file transfers to and from portable storage devices based on keywords in the file name as well as file extensions.

Here’s how to use the Block File Transfers feature:

Press the icon with the ellipses, then press Block File Transfers
Under “Block File Transfers for”, select the group you want to restrict
Enter the filenames or extensions you want to restrict; for example, adding .pdf will stop PDF files from being transferred to and from USB devices
You can repeat this process manually one at a time for each filename or extension you want to block or you can import a text file that contains each filename or extension listed on its own line.

By selecting “Apply Block File Transfers on Allowed Devices” the Block File Transfers feature can even be used to restrict these data transfers to your trusted devices.

In this next section I will show you how to monitor USB device usage with AccessPatrol’s USB activity reports.

AccessPatrol collects a variety of data points related to peripheral device usage, including:

File Operations such as USB file transfer history
Usage history of allowed vs blocked devices
File types that are copied, created, and deleted through removable media
And what types of peripheral devices are being used

These data points are then used to populate a variety of reports, alerts, and dashboards that IT security teams can use to investigate potential insider threats such as employees transferring sensitive data to removable storage devices.

Having detailed logs of USB activity is essential for regulated organizations that need to ensure that their USB security policy and data loss prevention methods meet their regulatory compliance requirements.

While the best practice is to block all removable media devices and provide a more secure alternative for data transfers, this is not always practical for some organizations. In those cases, a detailed USB activity log is an essential tool for ensuring that employees and contractors are compliant with the organization’s USB security policies.

Allright, let’s get started

First, click on “Device Reports”
Under “Report Type” you can see all of the available report types
- File operations history
- All Devices accessed
- access of allowed devices
- access of blocked devices
- allowed vs denied access
- And top N active machines

For this example we’ll configure a File Operations History report.

By default the report will include all file operations to removable media devices; you can also use the dropdown menus to selectively include only specific file operations.

These file operations are:

Copied files
Created files
Deleted files
Renamed files
And Files that are saved to removable media devices

Next, select the computers or users you’d like to include in the report. You can select individual users or computers from a group, the entire group, or your entire workforce.

You can use these sorting options to choose how you want the data to be sorted in the report.

Next, select the reporting period.

Once you have your settings configured you can save it as a report profile. Report profiles are used to automate scheduled reports that will be sent to an email inbox.

They can also be used to configure all of your settings by selecting the report profile rather than manually adjusting the parameters each time. By default your report profiles will be automatically updated to include new users or computers as they’re added; this can be changed in the AccessPatrol settings menu.

Press the run report button to generate the report. This report can then be saved or printed by using the buttons in the top right corner.

If your reports and dashboards are filled with irrelevant information, you can selectively exclude data about specific devices and file names from these reports using the Exclusion List. The Exclusion List is a global setting that will affect the reports and dashboards for all groups.

Here’s how to use the Exclusion List:

Press the icon with the ellipses then press Exclusion List
From here you can enter the device names and file names you want to exclude from your reports and dashboards; for example, adding .pdf will stop PDF files from being shown in your reports.
You can repeat this process manually one at a time for each filename or extension you want to exclude or you can import a text file that contains each filename or extension listed on its own line. The device and file name exclusions are managed separately so you will need a separate text file for each one.
If you need to bypass your exclusion list you can press the “Show excluded devices in report” checkbox in the device exclusion list and the “Show excluded Files Name in report” checkbox in the File Name exclusion list
If you still want your monitored devices to track events about these excluded devices, be certain to check “Upload excluded Devices from client” in the Device exclusion list and “Upload excluded Files Name from client” in the File Name exclusion list. Otherwise, this data will not be captured.

Next, I’ll show you how to use the report profile we created in the previous steps to automate the generation and delivery of the reports to designated email inboxes. This Email Reports feature is a convenient way to deliver USB activity reports on a regular basis without having to log in to the web console each time.

If you only want to receive a report when specific events occur I will cover that in the next section when I show you the Email Alerts feature.

Before you begin, you will need to configure your email settings by going to settings > Email settings. You can have the email reports and alerts sent through your organization’s email server as well as a variety of web email services such as Gmail.

How you configure email settings will depend on the email server you use. For more details please visit the CurrentWare knowledge base at CurrentWare.com/Support/

Once your email settings are configured, return to AccessPatrol’s manage section and click the Email Reports button. This main screen will show any currently configured email report schedules.

Click the “New Schedule” button to create a new report schedule
Enter the email address of who should receive the report; you can add multiple email addresses separated by commas
Select the report profile you’d like to send, your desired report format, and when you want to send the report.
In this case I will schedule the File Operations History report profile I created earlier to be sent every Monday at 6am. The CurrentWare Suite uses the time zone of the computer or server the CurrentWare web console is hosted on to determine the time.

Next, let’s look at creating email alerts.

Email alerts are similar to email reports except instead of sending reports at a predetermined time AccessPatrol will instead send an alert email when specific parameters are met, such as an employee attempting to insert an unauthorized USB flash drive into a managed computer.

Here at the main screen you will see your currently configured alerts.

To create a new alert:

Hit the New Alert button
Enter a name for your alert and which email addresses it will go to.
Select the group of computers or users you would like to monitor
Select the alert type; you can receive alerts related to USB file operations as well as peripheral devices.
- The file operations alerts can be applied to all files or only files with a specific file extension or file name.
- The device alerts can be set for specific peripheral devices, all devices, unknown devices, devices that are on the allowed list, or blocked devices.
Once you’ve configured the parameters for your email alert you can press “Apply”, then at the next screen press “Save Alert” to activate your alert profile.

That’s it for today’s video. If you have any questions you can reach out to the CurrentWare support team at CurrentWare.com/Contact/ or you can get more information from our self-serve knowledge base at CurrentWare.com/Support/

Get My Free Trial

Learn More

AccessPatrol is a granular and easy-to-use software to disable USB ports in Windows 10, Windows 8, and Windows 7. It allows you to control access to USB devices and other peripherals based on users, computers, workgroups, and domain membership.

This level of control allows you to protect against unauthorized USB devices without blocking the legitimate use of company-controlled peripherals. That way, rather than fully disabling USB ports you can selectively control the USB devices you would like to allow.

It is also a centralized USB blocker software, allowing you to control USB device permissions for thousands of users from a single console. This makes locking USB ports for your entire workforce as easy as a few clicks.

To disable USB ports with AccessPatrol you simply need to install the CurrentWare Console on the Manager’s computer, install the CurrentWare Client on the computers that you would like to disable USB ports on, and return to the CurrentWare Console to assign USB device permissions based on user, endpoint, or workgroup.

Learn how Viking Yachts protected their intellectual property from a departing employee in our case study

Read Their Story

Devices That Can Be Controlled With AccessPatrol

In addition to disabling USB ports, the AccessPatrol endpoint security software can block or limit the use of the following peripheral devices. Endpoint device restrictions can be configured based on computer, user, or workgroup.

Device Class	Devices	Access Permissions
Storage Devices	USB	Full / Read only / No access
	DVD /CD	Full / Read only / No access
	Floppy	Full / Read only / No access
	Tape	Full / Read only / No access
	External Hard drive	Full / Read only / No access
	Firewire	Full / Read only / No access
	SD Card	Full / Read only / No access
	MM Card	Full / Read only / No access
Wireless Devices	Bluetooth	Full / No access
	Infrared	Full / No access
	Wifi	Full / No access
Communication Ports	Serial	Full / No access
	Parallel	Full / No access
Imaging Devices	Scanners	Full / No access
	Cameras, Webcams & Others	Full / No access
Others	Printers	Full / No access
	USB Ethernet Adapter	Full / No access
	Sound Cards	Full / No access
	Portable Devices (iPhones, Mobiles)	Full / No access
	Network Share	Full / No access

How to Prevent Specific Files From Being Transferred From USB Ports

AccessPatrol allows you to prevent specific files from being transferred to external devices based on their filename or file extension.

Open the CurrentWare Console
Select the computers or users you would like to control
Under the AccessPatrol tab, select Block File Transfers
Under Enter File Name or Extension, type in the desired extension (CSV, BAK, CAD, etc) or file name (client-list, archive, etc) that you would like to block
Click Add, then click Close
Click Apply to Clients and then click OK

By default AccessPatrol’s Block File Transfers feature will not apply these restrictions to devices that have been added to the Allow List.

If you would also like to block these file transfers to authorized USB devices you simply need to click the “Apply Block File Transfers on Allowed Devices” checkbox before applying the policy to the clients.

FREE TRIAL: AccessPatrol USB Device Control Software

How to Disable USB Ports For Mass Storage Devices Only

AccessPatrol peripheral device permissions mockup block usb

If you would like to disable USB ports for mass storage only (e.g. without blocking keyboards, mice, and other desired USB devices) you can do that with AccessPatrol’s USB drive blocking feature. With this method you can also disable USB for specific user while allowing them for others.

By default, when disabling USB ports with AccessPatrol it will distinguish between USB mass storage devices and other peripherals such as keyboards and mice. It also provides granular control over other portable storage devices such as external hard drives, SD Cards, and mobile phones.

AccessPatrol’s ability to distinguish between mass storage and keyboards makes it the best USB mass storage device blocking software for business.

Open the CurrentWare Console
Select the group(s) of computers or users you would like to control. If you would like to disable USB for a specific user you can simply switch AccessPatrol to User Mode, add the specific user to their own policy group, then proceed to step 3.
Under the AccessPatrol tab, select Device Permissions then select the group of users or computers you would like to disable USB devices for.
Under Storage Devices, select USB
Under Access Permissions set the desired level of restriction (Full Access, Read Only, No Access)
Click Apply and then click OK

After following these steps you will be blocking USB mass storage devices while still allowing keyboards and mice to function.

Get My Free Trial

Learn More

How to Allow a Specific USB Device When USB Ports Are Disabled

Grant Ongoing Access to Authorized USB Devices

With AccessPatrol’s Allowed List you can disable USB ports while still allowing specific authorized USB devices.

Connect the desired USB device to any computer that has a CurrentWare Client installed
Open the CurrentWare Console
Select the folder with the computers or users you would like to control
Under the AccessPatrol tab, select Allowed List
Click “Add From Available Devices”
Choose a device from the Vendor ID, Serial Number and/or PNP Device ID lists
Click on Add to Allowed List, then click OK

Administrators can use AccessPatrol’s Device Allowed List to establish a list of devices that their end-users can use on company devices, even when USB ports are disabled.

You can choose to allow devices by the following identifiers:

Vendor ID
Serial number
PNP device ID

Device whitelisting is configured on a per-folder basis. Devices that are added to the allowed list for a given folder will apply to any computers that are in the specified folder. AccessPatrol’s allowed list supports USBs, External Hard drives, Imaging devices, and portable devices.

Note: Allowing a device by serial number is fully compatible with Windows 10. For Windows 7 or 8, some newer models of USB devices may not support this feature. Instead of allowing by serial number, it will allow all devices from the same vendor and model.

Get My Free Trial

Learn More

How to Temporarily Allow USB Devices

AccessPatrol can grant temporary access to blocked devices using it’s access code generator.

Administrators and authorized managers can use the generator to produce a single-use code that provides users with a set duration where the computer’s USB ports are no longer disabled by AccessPatrol.

The access code is unique to each computer that you generate for and the computers do not need to be connected to the internet to use it. So long as the CurrentWare client is installed on the employee’s computer they can be provided with temporary access to USB devices.

Generate a temporary access code

Open the CurrentWare Console
Select the computers or users you would like to provide temporary USB device access to
Click “Access Code Generator”
Choose the expiration date and duration of the access code
Click Generate to create a temporary access code

Activate the temporary access code from the employee’s computer

grant access to endpoint devices from control panel

Have the employee open the Control Panel
Set “View By” to large icons or small icons
Click “Grant access to endpoint devices”
Have the employee enter the temporary access code into the dialogue box, then click “Unlock”

Get My Free Trial

Learn More

Removable Media
Policy Template

Set data security standards for portable storage
Define the acceptable use of removable media
Inform your users about their security responsibilities

Get started today—Download the FREE template and customize it to fit the needs of your organization.

Get the FREE Template

How to Use the Device Manager to Disable USB Ports

If you would like to completely disable individual USB ports on a per-computer basis, you can do so with Windows Device Manager.

This method is the most cumbersome to manage when an employee needs legitimate access to authorized USB devices as you will need to manually unlock the ports from the device itself rather than using a central console.

Log in to an administrator account
Right-click on the Start menu
Click on Device Manager
Click on Universal Serial Bus controllers to view all of the USB ports
Right click on the USB port that you would like to disable
Select “Disable device”
Restart the computer to apply the changes

To ensure that the employee does not manually unlock the ports you will need to ensure they do not have access to an administrator account. To re-enable the ports simply perform steps 1-5 and select “Enable device”.

How to Disable USB Ports Using Group Policy

If you would like detailed instructions on how to use a Group Policy Object to block employees from using USB devices you can visit this guide on the CurrentWare blog.

Although applying group policies is a useful way to control the usage of USB storage devices in an organization, there are disadvantages that should not go unnoticed.

GPO vs USB Blocking Software:

Applying unique USB restrictions to different departments and users with a GPO is complicated for the average user. It also requires proficiency with Active Directory to manage at-scale.
Dedicated USB mass storage device blocking software such as AccessPatrol is easy to manage, allowing the modification of policy updates to be delegated to less technically savvy users.
Managing unique USB policies for individual users is more intuitive when using dedicated USB blocking software.

Conclusion

Using software to disable USB ports is critical for protecting sensitive data against theft through unauthorized USB devices. If you would like to easily manage USB device permissions in your company you can get started with a free trial of AccessPatrol USB device control software today.

Get My Free Trial

Learn More

Dale Strickland

Dale Strickland is the Digital Marketing Manager for CurrentWare, a global provider of user activity monitoring, web filtering, and device control software. Dale’s diverse multimedia background allows him the opportunity to produce a variety of content for CurrentWare including blogs, infographics, videos, eBooks, and social media shareables.

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
LS_CSRF_TOKEN	session	Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed.
OptanonConsent	1 year	OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
_zcsr_tmp	session	Zoho sets this cookie for the login function on the website.

Cookie	Duration	Description
_calendly_session	21 days	Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar.
_gaexp	2 months 11 days 7 hours 3 minutes	Google Analytics installs this cookie to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_GY6RPLBZG0	2 years	This cookie is installed by Google Analytics.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
_opt_expid	past	Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_dc_gtm_UA-6494714-6	1 minute	No description
_gaexp_rc	past	No description available.
34f6831605	session	No description
383aeadb58	session	No description available.
663a60c55d	session	No description available.
6e4b8efee4	session	No description available.
c72887300d	session	No description available.
cookielawinfo-checkbox-tracking	1 year	No description
crmcsr	session	No description available.
currentware-_zldp	2 years	No description
currentware-_zldt	1 day	No description
et_pb_ab_view_page_26104	session	No description
gaclientid	1 month	No description
gclid	1 month	No description
handl_ip	1 month	No description available.
handl_landing_page	1 month	No description available.
handl_original_ref	1 month	No description available.
handl_ref	1 month	No description available.
handl_ref_domain	1 month	No description
handl_url	1 month	No description available.
handl_url_base	1 month	No description
handlID	1 month	No description
HandLtestDomainName	session	No description
HandLtestDomainNameServer	1 day	No description
isiframeenabled	1 day	No description available.
m	2 years	No description available.
nitroCachedPage	session	No description
organic_source	1 month	No description
organic_source_str	1 month	No description
traffic_source	1 month	No description available.
uesign	1 month	No description
user_agent	1 month	No description available.
ZCAMPAIGN_CSRF_TOKEN	session	No description available.
zld685336000000002056state	5 minutes	No description

How to Disable USB Ports & Block USB Mass Storage Devices

Why Disable USB Ports?

Prevent Data Theft

Protect Endpoints Against USB Malware

How to Monitor USB Activities

How to Disable USB Ports With AccessPatrol

Devices That Can Be Controlled With AccessPatrol

How to Prevent Specific Files From Being Transferred From USB Ports

How to Disable USB Ports For Mass Storage Devices Only

How to Allow a Specific USB Device When USB Ports Are Disabled

Grant Ongoing Access to Authorized USB Devices

How to Temporarily Allow USB Devices

Removable MediaPolicy Template

How to Use the Device Manager to Disable USB Ports

How to Disable USB Ports Using Group Policy

Conclusion

Dale Strickland

Related posts

How to Manage Users & PCs in the CurrentWare Suite

How to Use enPowerManager—PC Power Manager & Employee Login Tracker

Removable Media
Policy Template