How to Disable USB Ports & Block USB Mass Storage Devices

A 32 gigabyte USB flash drive sitting on top of a computer keyboard

Want to control the use of unauthorized USB devices in your network? In this guide I will show you how to disable USB ports with three different methods: Using dedicated device control software to block USB ports, Windows Device Manager, and Group Policies through Active Directory. 

Table of Contents

Why Disable USB Ports?

Prevent Data Theft

Your employees have intimate access to corporate data and knowledge of internal systems. Without proper access control measures stealing data is as simple as transferring it to a portable mass storage device such as a USB flash drive.

Flash drives are capable of storing greater than 1TB of data, which is more than sufficient for exfiltrating databases, spreadsheets, design files, and any other intellectual property that needs to be protected.

One use of Data Loss Prevention (DLP) software is blocking the copying of files to a USB flash drive. This prevents employees from using their privileged position to steal sensitive information such as trade secrets and personally identifiable information. 


data theft prevention - a guide to offboarding employees - CurrentWare

The employee offboarding process presents significant data security risks. Employees have intimate access to corporate data, insider knowledge of the organization’s systems, and a level of trust that can allow them to steal data undetected.

  • 70% of intellectual property theft occurs within the 90 days before an employee’s resignation announcement
  • 88% of IT workers have stated that they would take sensitive data with them if they were fired
  • 72% of CEOs admit they’ve taken valuable intellectual property (IP) from a former employer
  • 50% of respondents in a Symantec survey say they have taken information, and 40% say they will use it in their new jobs

These vulnerabilities need to be addressed as part of any insider threat management program. Click here to learn the best practices for protecting data during a termination and gain access to a downloadable IT offboarding checklist.


Protect Endpoints Against USB Malware

USB devices can unknowingly infect company computers with ransomware and other malicious software. Disabling USB ports protects endpoints against rogue USB devices by proactively preventing the transmission of malicious files.

How to Disable USB Ports With AccessPatrol

AccessPatrol is a granular and easy-to-use USB blocking tool. It allows you to control access to USB devices and other peripherals based on users, computers, workgroups, and domain membership. 

This level of control allows you to protect against unauthorized USB devices without blocking the legitimate use of company-controlled peripherals. That way, rather than fully disabling USB ports you can selectively control the USB devices you would like to allow.

It is also a centralized USB blocker software, allowing you to control USB device permissions for thousands of users from a single console.

To disable USB ports with AccessPatrol you simply need to install the CurrentWare Console on the Manager’s computer, install the CurrentWare Client on the computers that you would like to disable USB ports on, and return to the CurrentWare Console to assign USB device permissions based on user, endpoint, or workgroup.

Devices That Can Be Controlled With AccessPatrol

In addition to disabling USB ports, the AccessPatrol endpoint security software can block or limit the use of the following peripheral devices. Endpoint device restrictions can be configured based on computer, user, or workgroup.

Device ClassDevicesAccess Permissions
Storage DevicesUSBFull / Read only / No access
DVD /CDFull / Read only / No access
FloppyFull / Read only / No access
TapeFull / Read only / No access
External Hard driveFull / Read only / No access
FirewireFull / Read only / No access
SD CardFull / Read only / No access
MM CardFull / Read only / No access
Wireless DevicesBluetoothFull / No access
InfraredFull / No access
WifiFull / No access
Communication PortsSerialFull / No access
ParallelFull / No access
Imaging DevicesScannersFull / No access
Cameras, Webcams & OthersFull / No access
OthersPrintersFull / No access
USB Ethernet AdapterFull / No access
Sound CardsFull / No access
Portable Devices (iPhones, Mobiles)Full / No access
Network ShareFull / No access

How to Prevent Specific Files From Being Transferred From USB Ports

AccessPatrol allows you to prevent specific files from being transferred to external devices based on their filename or file extension.  

  1. Open the CurrentWare Console
    central management console for AccessPatrol endpoint security solutions
  2. Select the computers or users you would like to control
  3. Under the AccessPatrol tab, select Block File Transfers
    Screenshot of AccessPatrol's USB file transfer blocking feature
  4. Under Enter File Name or Extension, type in the desired extension (CSV, BAK, CAD, etc) or file name (client-list, archive, etc) that you would like to block
  5. Click Add, then click Close
  6. Click Apply to Clients and then click OK

By default AccessPatrol’s Block File Transfers feature will not apply these restrictions to devices that have been added to the Allow List.

If you would also like to block these file transfers to authorized USB devices you simply need to click the “Apply Block File Transfers on Allowed Devices” checkbox before applying the policy to the clients.

How to Disable USB Ports For Mass Storage Devices Only

AccessPatrol device permissions window with USB drives blocked

If you would like to disable USB ports for mass storage only (e.g. without blocking keyboards, mice, and other desired USB devices) you can do that with AccessPatrol.

By default, when disabling USB ports with AccessPatrol it will distinguish between USB mass storage devices and other peripherals such as keyboards and mice. It also provides granular control over other portable storage devices such as external hard drives, SD Cards, and mobile phones.

  1. Open the CurrentWare Console
    central management console for AccessPatrol endpoint security solutions
  2. Select the group(s) of computers or users you would like to control
  3. Under the AccessPatrol tab, select Device Permissions
    Screenshot of AccessPatrols peripheral device blocking permissions window
  4. Under Storage Devices, select USB

    Device Blocking window Screenshot of CurrentWare's USB device control software AccessPatrol
  5. Under Access Permissions set the desired level of restriction (Full Access, Read Only, No Access)
  6. Click Apply and then click OK

After following these steps you will be blocking USB mass storage devices while still allowing keyboards and mice to function.

How to Allow a Specific USB Device When USB Ports Are Disabled

Grant Ongoing Access to Authorized USB Devices

With AccessPatrol’s Allowed List you can disable USB ports while still allowing specific authorized USB devices.

  1. Connect the desired USB device to any computer that has a CurrentWare Client installed
  2. Open the CurrentWare Console
    central management console for AccessPatrol endpoint security solutions
  3. Select the folder with the computers or users you would like to control
  4. Under the AccessPatrol tab, select Allowed List
    AccessPatrol device allowed list
  5. Click “Add From Available Devices”
  6. Choose a device from the Vendor ID, Serial Number and/or PNP Device ID lists
    Screenshot of AccessPatrol's USB device allow list
  7. Click on Add to Allowed List, then click OK

Administrators can use AccessPatrol’s Device Allowed List to establish a list of devices that their end-users can use on company devices, even when USB ports are disabled.

You can choose to allow devices by the following identifiers:

  • Vendor ID
  • Serial number
  • PNP device ID

Device whitelisting is configured on a per-folder basis. Devices that are added to the allowed list for a given folder will apply to any computers that are in the specified folder. AccessPatrol’s allowed list supports USBs, External Hard drives, Imaging devices, and portable devices.

Note: Allowing a device by serial number is fully compatible with Windows 10. For Windows 7 or 8, some newer models of USB devices may not support this feature. Instead of allowing by serial number, it will allow all devices from the same vendor and model.

How to Temporarily Allow USB Devices

AccessPatrol can grant temporary access to blocked devices using it’s access code generator

Administrators and authorized managers can use the generator to produce a single-use code that provides users with a set duration where the computer’s USB ports are no longer disabled by AccessPatrol. 

The access code is unique to each computer that you generate for and the computers do not need to be connected to the internet to use it. So long as the CurrentWare client is installed on the employee’s computer they can be provided with temporary access to USB devices.

  1. Generate a temporary access code
    Screenshot of AccessPatrol's access code Code Generator to temporarily enable USB devices
  • Open the CurrentWare Console
  • Select the computers or users you would like to provide temporary USB device access to
  • Click “Access Code Generator”
  • Choose the expiration date and duration of the access code
  • Click Generate to create a temporary access code
  1. Activate the temporary access code from the employee’s computer
grant access to endpoint devices from control panel
  • Have the employee open the Control Panel
  • Set “View By” to large icons or small icons
  • Click “Grant access to endpoint devices”
  • Have the employee enter the temporary access code into the dialogue box, then click “Unlock”

How to Use the Device Manager to Disable USB Ports

If you would like to completely disable individual USB ports on a per-computer basis, you can do so with Windows Device Manager. 

This method is the most cumbersome to manage when an employee needs legitimate access to authorized USB devices as you will need to manually re-enable the ports from the device itself rather than using a central console.

  1. Log in to an administrator account
  2. Right-click on the Start menu
  3. Click on Device Manager
  4. Click on Universal Serial Bus controllers to view all of the USB ports
  5. Right click on the USB port that you would like to disable
  6. Select “Disable device”
  7. Restart the computer to apply the changes

To ensure that the employee does not manually re-enable the ports you will need to ensure they do not have access to an administrator account. To re-enable the ports simply perform steps 1-5 and select “Enable device”. 

How to Disable USB Ports Using Group Policy

If you would like detailed instructions on how to use a Group Policy Object to block employees from using USB devices you can visit this guide on the CurrentWare blog.

Although applying group policies is a useful way to control the usage of USB storage devices in an organization, there are disadvantages that should not go unnoticed. 

GPO vs USB Blocking Software:

  1. Applying unique USB restrictions to different departments and users with a GPO is complicated for the average user. It also requires proficiency with Active Directory to manage at-scale.
  2. Dedicated USB blocking software such as AccessPatrol is easy to manage, allowing the modification of policy updates to be delegated to less technically savvy users.
  3. Managing unique USB policies for individual users is more intuitive when using dedicated USB blocking software.

Conclusion

Using software to disable USB ports is critical for protecting sensitive data against theft through unauthorized USB devices. If you would like to easily manage USB device permissions in your company you can get started with a free trial of AccessPatrol USB device control software today.

Dale Strickland
Dale Strickland
Dale Strickland is a Marketing Coordinator for CurrentWare, a global provider of endpoint security and employee monitoring software. Dale’s diverse multimedia background allows him the opportunity to produce a variety of content for CurrentWare including blogs, infographics, videos, eBooks, and social media shareables.