How to Disable USB Ports on Windows PCs for Security & Compliance
Case Study
Viking Yachts Stops an Employee From Stealing Their Intellectual Property
As Viking Yachts grew, their network administrator Vincent Pecoreno was responsible for supporting over 530 users and 1500 devices across multiple geographic locations, making visibility a challenge without the right tools in place.
Once equipped with CurrentWare’s user activity monitoring and data loss prevention solutions, Viking Yachts had the insights they needed to protect their sensitive data.
Read their case study to learn more about how Vincent used CurrentWare to detect a data theft attempt from a soon-to-be-ex-employee.
Want to control the use of unauthorized USB devices in your network? In this guide you will learn how to disable USB ports with three different methods: Using dedicated device control software to disable USB ports, Windows Device Manager, and Group Policies through Active Directory.
With these USB drive blocking methods you’ll be able to disable USB ports in Windows 10, Windows 7, and other Windows operating systems.
Why Disable USB Ports?
Prevent Data Theft
Your employees have intimate access to corporate data and knowledge of internal systems. Without proper access control measures, stealing data is as simple as transferring it to a portable mass storage device such as a USB flash drive.
Flash drives are capable of storing greater than 1TB of data, which is more than sufficient for exfiltrating databases, spreadsheets, design files, and any other intellectual property that needs to be protected.
One use of Data Loss Prevention (DLP) software is blocking the copying of files to a USB flash drive. This prevents employees from using their privileged position to steal sensitive information such as trade secrets and personally identifiable information.
Also Read: USB Device Management – Whitelist Authorized Peripherals
FREE GUIDE & CHECKLIST
How to Keep Data Safe When Offboarding Employees
The employee offboarding process presents significant data security risks. Employees have intimate access to corporate data, insider knowledge of the organization’s systems, and a level of trust that can allow them to steal data undetected.
Click the button below to learn the best practices for managing insider threat risks during offboarding & gain access to a checklist of key cybersecurity items you must include in your offboarding process.
Protect Endpoints Against USB Malware
USB devices can unknowingly infect company computers with ransomware and other malicious software. Disabling USB ports protects endpoints against rogue USB devices by proactively preventing the transmission of malicious files.
How to Monitor USB Activities
How to Disable USB Ports With AccessPatrol
AccessPatrol is a granular and easy-to-use software to disable USB ports in Windows 10, Windows 8, and Windows 7. It allows you to control access to USB devices and other peripherals based on users, computers, workgroups, and domain membership.
This level of control allows you to protect against unauthorized USB devices without blocking the legitimate use of company-controlled peripherals. That way, rather than fully disabling USB ports you can selectively control the USB devices you would like to allow.
It is also a centralized USB blocker software, allowing you to control USB device permissions for thousands of users from a single console. This makes locking USB ports for your entire workforce as easy as a few clicks.
To disable USB ports with AccessPatrol you simply need to install the CurrentWare Console on the Manager’s computer, install the CurrentWare Client on the computers that you would like to disable USB ports on, and return to the CurrentWare Console to assign USB device permissions based on user, endpoint, or workgroup.
Also Read: USB Drive Security Best Practices You Need to Implement Now
Devices That Can Be Controlled With AccessPatrol
In addition to disabling USB ports, the AccessPatrol endpoint security software can block or limit the use of the following peripheral devices. Endpoint device restrictions can be configured based on computer, user, or workgroup.
| Device Class | Devices | Access Permissions |
| Storage Devices | USB | Full / Read only / No access |
| DVD /CD | Full / Read only / No access | |
| Floppy | Full / Read only / No access | |
| Tape | Full / Read only / No access | |
| External Hard drive | Full / Read only / No access | |
| Firewire | Full / Read only / No access | |
| SD Card | Full / Read only / No access | |
| MM Card | Full / Read only / No access | |
| Wireless Devices | Bluetooth | Full / No access |
| Infrared | Full / No access | |
| Wifi | Full / No access | |
| Communication Ports | Serial | Full / No access |
| Parallel | Full / No access | |
| Imaging Devices | Scanners | Full / No access |
| Cameras, Webcams & Others | Full / No access | |
| Others | Printers | Full / No access |
| USB Ethernet Adapter | Full / No access | |
| Sound Cards | Full / No access | |
| Portable Devices (iPhones, Mobiles) | Full / No access | |
| Network Share | Full / No access |
How to Prevent Specific Files From Being Transferred From USB Ports
AccessPatrol allows you to prevent specific files from being transferred to external devices based on their filename or file extension.
- Open the CurrentWare Console
- Select the computers or users you would like to control
- Under the AccessPatrol tab, select Block File Transfers
- Under Enter File Name or Extension, type in the desired extension (CSV, BAK, CAD, etc) or file name (client-list, archive, etc) that you would like to block
- Click Add, then click Close
- Click Apply to Clients and then click OK
By default AccessPatrol’s Block File Transfers feature will not apply these restrictions to devices that have been added to the Allow List.
If you would also like to block these file transfers to authorized USB devices you simply need to click the “Apply Block File Transfers on Allowed Devices” checkbox before applying the policy to the clients.
How to Disable USB Ports For Mass Storage Devices Only
If you would like to disable USB ports for mass storage only (e.g., without blocking keyboards, mice, and other desired USB devices), you can do that with AccessPatrol’s USB drive blocking feature. With this method, you can also disable USB for a specific user while allowing them for others.
By default, when disabling USB ports with AccessPatrol it will distinguish between USB mass storage devices and other peripherals such as keyboards and mice. It also provides granular control over other portable storage devices such as external hard drives, SD Cards, and mobile phones.
Also Read: Windows USB Blocker: Software to Track and Block USB Ports on Windows XP
AccessPatrol’s ability to distinguish between mass storage and keyboards makes it the best USB mass storage device blocking software for business.
- Open the CurrentWare Console
- Select the group(s) of computers or users you would like to control. If you would like to disable USB for a specific user, you can simply switch AccessPatrol to User Mode, add the specific user to their policy group, then proceed to step 3.
- Under the AccessPatrol tab, select Device Permissions then select the group of users or computers you would like to disable USB devices for.
- Under Storage Devices, select USB
- Under Access Permissions, set the desired level of restriction (Full Access, Read Only, No Access)
- Click Apply, and then click OK
After following these steps you will be blocking USB mass storage devices while still allowing keyboards and mice to function.
How to Allow a Specific USB Device When USB Ports Are Disabled
Grant Ongoing Access to Authorized USB Devices
With AccessPatrol’s Allowed List, you can disable USB ports while still allowing specific authorized USB devices.
- Connect the desired USB device to any computer that has a CurrentWare Client installed
- Open the CurrentWare Console
- Select the folder with the computers or users you would like to control
- Under the AccessPatrol tab, select Allowed List
- Click “Add From Available Devices”
- Choose a device from the Vendor ID, Serial Number and/or PNP Device ID lists
- Click on Add to Allowed List, then click OK
Administrators can use AccessPatrol’s Device Allowed List to establish a list of devices that their end-users can use on company devices, even when USB ports are disabled.
You can choose to allow devices by the following identifiers:
- Vendor ID
- Serial number
- PNP device ID
Device whitelisting is configured on a per-folder basis. Devices that are added to the allowed list for a given folder will apply to any computers that are in the specified folder. AccessPatrol’s allowed list supports USBs, External Hard drives, Imaging devices, and portable devices.
Note: Allowing a device by serial number is fully compatible with Windows 10. For Windows 7 or 8, some newer models of USB devices may not support this feature. Instead of allowing by serial number, it will allow all devices from the same vendor and model.
How to Temporarily Allow USB Devices
AccessPatrol can grant temporary access to blocked devices using its access code generator.
Administrators and authorized managers can use the generator to produce a single-use code that provides users with a set duration where the computer’s USB ports are no longer disabled by AccessPatrol.
The access code is unique to each computer that you generate for, and the computers do not need to be connected to the internet to use it. So long as the CurrentWare client is installed on the employee’s computer, they can be provided with temporary access to USB devices.
- Generate a temporary access code
- Open the CurrentWare Console
- Select the computers or users you would like to provide temporary USB device access to
- Click “Access Code Generator”
- Choose the expiration date and duration of the access code
- Click Generate to create a temporary access code
- Activate the temporary access code from the employee’s computer
- Have the employee open the Control Panel
- Set “View By” to large icons or small icons
- Click “Grant access to endpoint devices”
- Have the employee enter the temporary access code into the dialogue box, then click “Unlock”
FREE DOWNLOAD
Removable Media Policy Template
- Set data security standards for portable storage
- Define the acceptable use of removable media
- Inform your users about their security responsibilities
Get started today—Download the FREE template and customize it to fit the needs of your organization.
Case Study
Metromont Improves User Awareness of USB Security Risks
Preventing users from inserting unauthorized removable media devices into company computers is an essential cybersecurity control.
Metromont realized the importance of USB security when an external security company performed a highly targeted USB drop attack on their employees.
Alarmingly, some of the employees plugged these unsanctioned USB drives into their work computers—A situation that otherwise could unknowingly grant threat actors access to sensitive information!
Read their case study to learn how CurrentWare’s USB restriction and USB device activity monitoring capabilities helped Metromont ensure compliance with their data security policies.
Frequently Asked Questions (FAQ)
Conclusion
Using software to disable USB ports is critical for protecting sensitive data against theft through unauthorized USB devices. If you would like to easily manage USB device permissions in your company, you can get started with a free trial of AccessPatrol USB device control software today.
Author
Derek B
Customer Success Manager, CurrentWare
Derek is a Customer Success Manager at CurrentWare, dedicated to helping clients realize long-term value from their products. Since 2016, he has worked in the tech sector, driving real ROI through tailored onboarding, proactive support, and strategic guidance on critical solutions like software licence optimization, employee productivity, web filtering and USB device control. Derek fosters strong relationships and cross-functional collaboration to boost retention, satisfaction, and growth, ensuring clients effectively manage productivity and security.
