How to Disable USB Ports & Block USB Mass Storage Devices

Want to control the use of unauthorized USB devices in your network? In this guide you will learn how to disable USB ports with three different methods: Using dedicated device control software to disable USB ports, Windows Device Manager, and Group Policies through Active Directory.

With these USB drive blocking methods you’ll be able to disable USB ports in Windows 10, Windows 7, and other Windows operating systems.

Take Control Over USB Devices With AccessPatrol

Get My Free Trial Learn More

A departing employee was caught stealing classified files! If we didn’t have AccessPatrol we would never have known.

Learn how Viking Yachts protected their intellectual property from a departing employee in our case study

Read Their Story

Why Disable USB Ports?

Prevent Data Theft

Your employees have intimate access to corporate data and knowledge of internal systems. Without proper access control measures stealing data is as simple as transferring it to a portable mass storage device such as a USB flash drive.

Flash drives are capable of storing greater than 1TB of data, which is more than sufficient for exfiltrating databases, spreadsheets, design files, and any other intellectual property that needs to be protected.

One use of Data Loss Prevention (DLP) software is blocking the copying of files to a USB flash drive. This prevents employees from using their privileged position to steal sensitive information such as trade secrets and personally identifiable information.

data theft prevention - a guide to offboarding employees - CurrentWare

The employee offboarding process presents significant data security risks. Employees have intimate access to corporate data, insider knowledge of the organization’s systems, and a level of trust that can allow them to steal data undetected.

70% of intellectual property theft occurs within the 90 days before an employee’s resignation announcement
88% of IT workers have stated that they would take sensitive data with them if they were fired
72% of CEOs admit they’ve taken valuable intellectual property (IP) from a former employer
50% of respondents in a Symantec survey say they have taken information, and 40% say they will use it in their new jobs

These vulnerabilities need to be addressed as part of any insider threat management program. Click the button below to learn the best practices for protecting data during a termination and gain access to a downloadable IT offboarding checklist.

Gain Access Now

Protect Endpoints Against USB Malware

USB devices can unknowingly infect company computers with ransomware and other malicious software. Disabling USB ports protects endpoints against rogue USB devices by proactively preventing the transmission of malicious files.

How to Monitor USB Activities

Hey everyone, this is Dale here. I am the Digital Marketing Manager for CurrentWare.

In today’s video, I’d like to show off the new USB activity dashboards introduced to AccessPatrol in version 7.0.

These dashboards provide a convenient overview of the peripheral device usage of your entire workforce as well as specific groups or users—all from the convenience of a web browser.

They work in tandem with AccessPatrol’s device control features and USB activity reports to protect sensitive data against the security risks of portable storage devices.

Today’s video is just a sneak peek of what AccessPatrol is capable of; as time goes on you can expect to see further enhancements and data points added to these dashboards.

At this time, AccessPatrol can track activities from the following peripherals:

Portable storage devices such as USB flash drives, external hard drives, optical discs, tape drives, and SD cards
and Mobile devices including smartphones, PDAs, and tablets

This device usage data is used to populate various graphs across AccessPatrol’s dashboards. You can further refine how granular this data is by limiting the time frame, selecting only specific groups, and even investigating individual users.

Having these metrics available at a glance makes detecting potential insider threats far more efficient as your organization scales.

Any groups or users that need to be reviewed further can be investigated using the more granular dashboards and AccessPatrol’s device activity reports.

For a more proactive approach to insider threat management you can set up targeted alerts that will notify designated staff members when these high-risk activities occur.

For the most up-to-date information on AccessPatrol’s activity tracking and data loss prevention capabilities, visit our knowledge base at CurrentWare.com/Support or visit the AccessPatrol product page at CurrentWare.com/AccessPatrol

In the overview dashboard you can review the following metrics:

File Operations that happened over the selected time period, including the number of files that have been copied/created, the number of files that have been deleted, and the number of files that have been renamed/saved as.
Overall Device Activities, with a breakdown of how many of the peripherals were authorized and how many were blocked from use.
The Top 5 File Types graph shows the most common file types that are copied/created or deleted to and from portable storage devices
The Top 5 Device Types graph shows the most common classes of peripheral devices that are blocked and allowed
The Top 5 Files Operations graph shows which groups or users have the greatest number of files that have been Copied/Created and Deleted to and from portable storage devices
The Top 5 Devices Activities graph shows which groups or users have the greatest number of Blocked and Allowed devices.
And finally, The Activity Log provides access to the raw data, with controls to show and hide certain columns, filter and sort data, conduct searches, and export the data to an Excel spreadsheet or PDF. Each dashboard has their own Activity Log with columns that are relevant to that specific dashboard.

Moving on to the Files Dashboard you will see…

A timeline of file operations that shows the relationship between the various operations over the course of the selected time period. This can be used to search for patterns in anomalous device usage, such as peaks in file transfers outside of regular operating hours.
You will also see graphs with the Top File Types Copied/Created to internal hard drives and external devices
Below that, we have graphs that show the users or groups that have Copied/Created or Deleted the most files
And, just like the overview dashboard, there is an Activity Log with the raw data.

Finally, we have the Devices Dashboard.

In this dashboard, we have…

A device activities graph that shows a timeline with the number of allowed and blocked devices each day. This can be further refined to show an hourly breakdown of a specific day so you can find out what time your users were attempting to use blocked devices.
Next, we have graphs with the users or groups that have the most allowed and blocked devices activity over the selected time period.
Scrolling down to the Activity Log, we can use the sorting controls to take a closer look at the users that have been attempting to use unauthorized peripherals.

As you can see, we have specific users that are repeatedly trying to use devices that have not been approved for use by the organization.

While this could just be an accidental oversight on the user’s part, there’s a risk that it’s something much more serious.

For example, what if this is actually a disgruntled employee trying to steal trade secrets or sensitive customer data so they can bring it to a competitor, or worse, sell it to cybercriminals on the dark web.

Between the costs associated with a damaged reputation, fines, loss of competitive advantage, and remediation, a data breach like this could completely ruin a company.

Before we confront this employee or send them for retraining, let’s investigate this incident further so we can make an informed decision.

Clicking on this user, we’ll be taken to a dashboard that focuses exclusively on their activity.

Looking at the Devices graph we can see that they have made multiple attempts to use blocked devices.

Scrolling down, we can see that they’ve been trying to use unauthorized portable storage devices.

Since AccessPatrol is currently blocking any devices that are not explicitly allowed, I know that the only way sensitive data is leaving through a USB drive is if it’s a device that we’ve allowed before. So, let’s take a closer look at how they’ve been using their approved devices.

As you can see here, the types of files that they are transferring are more than capable of containing sensitive data; let’s take a look at the file names for more details.

With the Activity Log we can use the filters, sorting, and column options to isolate our view to the entries we’re the most interested in.

Once we find something that looks off, we have more than enough information to confront this employee and take any necessary corrective actions.

Ready to protect your sensitive data against theft to USB portable storage devices? Block and monitor peripheral device usage today with a free trial of AccessPatrol, CurrentWare’s USB control software.

Simply visit CurrentWare.com/Download to get started instantly, or get in touch with us at CurrentWare.com/Contact to book a demo with one of our team members. See you next time!

How to Disable USB Ports With AccessPatrol

Get My Free Trial Learn More

AccessPatrol is a granular and easy-to-use software to disable USB ports in Windows 10, Windows 8, and Windows 7. It allows you to control access to USB devices and other peripherals based on users, computers, workgroups, and domain membership.

This level of control allows you to protect against unauthorized USB devices without blocking the legitimate use of company-controlled peripherals. That way, rather than fully disabling USB ports you can selectively control the USB devices you would like to allow.

It is also a centralized USB blocker software, allowing you to control USB device permissions for thousands of users from a single console. This makes locking USB ports for your entire workforce as easy as a few clicks.

To disable USB ports with AccessPatrol you simply need to install the CurrentWare Console on the Manager’s computer, install the CurrentWare Client on the computers that you would like to disable USB ports on, and return to the CurrentWare Console to assign USB device permissions based on user, endpoint, or workgroup.

Devices That Can Be Controlled With AccessPatrol

In addition to disabling USB ports, the AccessPatrol endpoint security software can block or limit the use of the following peripheral devices. Endpoint device restrictions can be configured based on computer, user, or workgroup.

Device Class	Devices	Access Permissions
Storage Devices	USB	Full / Read only / No access
	DVD /CD	Full / Read only / No access
	Floppy	Full / Read only / No access
	Tape	Full / Read only / No access
	External Hard drive	Full / Read only / No access
	Firewire	Full / Read only / No access
	SD Card	Full / Read only / No access
	MM Card	Full / Read only / No access
Wireless Devices	Bluetooth	Full / No access
	Infrared	Full / No access
	Wifi	Full / No access
Communication Ports	Serial	Full / No access
	Parallel	Full / No access
Imaging Devices	Scanners	Full / No access
	Cameras, Webcams & Others	Full / No access
Others	Printers	Full / No access
	USB Ethernet Adapter	Full / No access
	Sound Cards	Full / No access
	Portable Devices (iPhones, Mobiles)	Full / No access
	Network Share	Full / No access

How to Prevent Specific Files From Being Transferred From USB Ports

AccessPatrol allows you to prevent specific files from being transferred to external devices based on their filename or file extension.

Open the CurrentWare Console
Select the computers or users you would like to control
Under the AccessPatrol tab, select Block File Transfers
Under Enter File Name or Extension, type in the desired extension (CSV, BAK, CAD, etc) or file name (client-list, archive, etc) that you would like to block
Click Add, then click Close
Click Apply to Clients and then click OK

By default AccessPatrol’s Block File Transfers feature will not apply these restrictions to devices that have been added to the Allow List.

If you would also like to block these file transfers to authorized USB devices you simply need to click the “Apply Block File Transfers on Allowed Devices” checkbox before applying the policy to the clients.

FREE TRIAL: AccessPatrol USB Device Control Software

How to Disable USB Ports For Mass Storage Devices Only

AccessPatrol peripheral device permissions mockup block usb

If you would like to disable USB ports for mass storage only (e.g. without blocking keyboards, mice, and other desired USB devices) you can do that with AccessPatrol’s USB drive blocking feature. With this method you can also disable USB for specific user while allowing them for others.

By default, when disabling USB ports with AccessPatrol it will distinguish between USB mass storage devices and other peripherals such as keyboards and mice. It also provides granular control over other portable storage devices such as external hard drives, SD Cards, and mobile phones.

AccessPatrol’s ability to distinguish between mass storage and keyboards makes it the best USB mass storage device blocking software for business.

Open the CurrentWare Console
Select the group(s) of computers or users you would like to control. If you would like to disable USB for a specific user you can simply switch AccessPatrol to User Mode, add the specific user to their own policy group, then proceed to step 3.
Under the AccessPatrol tab, select Device Permissions then select the group of users or computers you would like to disable USB devices for.
Under Storage Devices, select USB
Under Access Permissions set the desired level of restriction (Full Access, Read Only, No Access)
Click Apply and then click OK

After following these steps you will be blocking USB mass storage devices while still allowing keyboards and mice to function.

Get My Free Trial Learn More

How to Allow a Specific USB Device When USB Ports Are Disabled

Grant Ongoing Access to Authorized USB Devices

With AccessPatrol’s Allowed List you can disable USB ports while still allowing specific authorized USB devices.

Connect the desired USB device to any computer that has a CurrentWare Client installed
Open the CurrentWare Console
Select the folder with the computers or users you would like to control
Under the AccessPatrol tab, select Allowed List
Click “Add From Available Devices”
Choose a device from the Vendor ID, Serial Number and/or PNP Device ID lists
Click on Add to Allowed List, then click OK

Administrators can use AccessPatrol’s Device Allowed List to establish a list of devices that their end-users can use on company devices, even when USB ports are disabled.

You can choose to allow devices by the following identifiers:

Vendor ID
Serial number
PNP device ID

Device whitelisting is configured on a per-folder basis. Devices that are added to the allowed list for a given folder will apply to any computers that are in the specified folder. AccessPatrol’s allowed list supports USBs, External Hard drives, Imaging devices, and portable devices.

Note: Allowing a device by serial number is fully compatible with Windows 10. For Windows 7 or 8, some newer models of USB devices may not support this feature. Instead of allowing by serial number, it will allow all devices from the same vendor and model.

Get My Free Trial Learn More

How to Temporarily Allow USB Devices

AccessPatrol can grant temporary access to blocked devices using it’s access code generator.

Administrators and authorized managers can use the generator to produce a single-use code that provides users with a set duration where the computer’s USB ports are no longer disabled by AccessPatrol.

The access code is unique to each computer that you generate for and the computers do not need to be connected to the internet to use it. So long as the CurrentWare client is installed on the employee’s computer they can be provided with temporary access to USB devices.

Generate a temporary access code

Open the CurrentWare Console
Select the computers or users you would like to provide temporary USB device access to
Click “Access Code Generator”
Choose the expiration date and duration of the access code
Click Generate to create a temporary access code

Activate the temporary access code from the employee’s computer

grant access to endpoint devices from control panel

Have the employee open the Control Panel
Set “View By” to large icons or small icons
Click “Grant access to endpoint devices”
Have the employee enter the temporary access code into the dialogue box, then click “Unlock”

Get My Free Trial Learn More

Removable Media
Policy Template

Set data security standards for portable storage
Define the acceptable use of removable media
Inform your users about their security responsibilities

Get started today—Download the FREE template and customize it to fit the needs of your organization.

Get the FREE Template

How to Use the Device Manager to Disable USB Ports

If you would like to completely disable individual USB ports on a per-computer basis, you can do so with Windows Device Manager.

This method is the most cumbersome to manage when an employee needs legitimate access to authorized USB devices as you will need to manually unlock the ports from the device itself rather than using a central console.

Log in to an administrator account
Right-click on the Start menu
Click on Device Manager
Click on Universal Serial Bus controllers to view all of the USB ports
Right click on the USB port that you would like to disable
Select “Disable device”
Restart the computer to apply the changes

To ensure that the employee does not manually unlock the ports you will need to ensure they do not have access to an administrator account. To re-enable the ports simply perform steps 1-5 and select “Enable device”.

How to Disable USB Ports Using Group Policy

If you would like detailed instructions on how to use a Group Policy Object to block employees from using USB devices you can visit this guide on the CurrentWare blog.

Although applying group policies is a useful way to control the usage of USB storage devices in an organization, there are disadvantages that should not go unnoticed.

GPO vs USB Blocking Software:

Applying unique USB restrictions to different departments and users with a GPO is complicated for the average user. It also requires proficiency with Active Directory to manage at-scale.
Dedicated USB mass storage device blocking software such as AccessPatrol is easy to manage, allowing the modification of policy updates to be delegated to less technically savvy users.
Managing unique USB policies for individual users is more intuitive when using dedicated USB blocking software.

Conclusion

Using software to disable USB ports is critical for protecting sensitive data against theft through unauthorized USB devices. If you would like to easily manage USB device permissions in your company you can get started with a free trial of AccessPatrol USB device control software today.

Get My Free Trial Learn More

Dale Strickland

Dale Strickland is the Digital Marketing Manager for CurrentWare, a global provider of user activity monitoring, web filtering, and device control software. Dale’s diverse multimedia background allows him the opportunity to produce a variety of content for CurrentWare including blogs, infographics, videos, eBooks, and social media shareables.

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
LS_CSRF_TOKEN	session	Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed.
OptanonConsent	1 year	OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
_zcsr_tmp	session	Zoho sets this cookie for the login function on the website.

Cookie	Duration	Description
_calendly_session	21 days	Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar.
_gaexp	2 months 11 days 7 hours 3 minutes	Google Analytics installs this cookie to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_GY6RPLBZG0	2 years	This cookie is installed by Google Analytics.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
_opt_expid	past	Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_dc_gtm_UA-6494714-6	1 minute	No description
_gaexp_rc	past	No description available.
34f6831605	session	No description
383aeadb58	session	No description available.
663a60c55d	session	No description available.
6e4b8efee4	session	No description available.
c72887300d	session	No description available.
cookielawinfo-checkbox-tracking	1 year	No description
crmcsr	session	No description available.
currentware-_zldp	2 years	No description
currentware-_zldt	1 day	No description
et_pb_ab_view_page_26104	session	No description
gaclientid	1 month	No description
gclid	1 month	No description
handl_ip	1 month	No description available.
handl_landing_page	1 month	No description available.
handl_original_ref	1 month	No description available.
handl_ref	1 month	No description available.
handl_ref_domain	1 month	No description
handl_url	1 month	No description available.
handl_url_base	1 month	No description
handlID	1 month	No description
HandLtestDomainName	session	No description
HandLtestDomainNameServer	1 day	No description
isiframeenabled	1 day	No description available.
m	2 years	No description available.
nitroCachedPage	session	No description
organic_source	1 month	No description
organic_source_str	1 month	No description
traffic_source	1 month	No description available.
uesign	1 month	No description
user_agent	1 month	No description available.
ZCAMPAIGN_CSRF_TOKEN	session	No description available.
zld685336000000002056state	5 minutes	No description

Take Control Over USB Devices With AccessPatrol

Why Disable USB Ports?

Prevent Data Theft

Protect Endpoints Against USB Malware

How to Monitor USB Activities

How to Disable USB Ports With AccessPatrol

Devices That Can Be Controlled With AccessPatrol

How to Prevent Specific Files From Being Transferred From USB Ports

How to Disable USB Ports For Mass Storage Devices Only

How to Allow a Specific USB Device When USB Ports Are Disabled

Grant Ongoing Access to Authorized USB Devices

How to Temporarily Allow USB Devices

Removable MediaPolicy Template

How to Use the Device Manager to Disable USB Ports

How to Disable USB Ports Using Group Policy

Conclusion

Dale Strickland

Related posts

🆕New DLP Tools, Location Insights, Track Network Drives, and More! (v9.0)

The Cybersecurity Risks of AI & How to Safeguard Sensitive Data

Removable Media
Policy Template