Have you initiated this policy in your environment? Please feel free to share your experiences and questions in the comments portion of this post.
In this article you learned how to leverage Windows Server 2008 Group Policy to disable USB drive us in our Active Directory domain. Once your GPO has been ingested by your domain, a user will see the following message box whenever they attempt to mount a restricted media device: This command refreshes Group Policy throughout your Active Directory domain. In order to put your new GPO into effect immediately, open an administrative command prompt and issue the following command: This is depicted in the following screen image: From the Group Policy Management Console we can make use of the Security Filtering and/or the WMI Filtering areas to properly scope our GPO. Naturally, we want to apply GPO security filtering to ensure that only our desired users and computers are affected by our new policy. If we enable this policy, as is shown in the following screen capture, then we prevent affected users from mounting ANY class of removable media.Īll Removable Storage classes - Deny all access Note from the above screenshot that we can use Group Policy to limit access to the following device classes:īy far, the most restrictive restriction (pardon the redundancy) is the policy All Removable Storage Classes: Deny All Access. NOTE: If you prefer to set these restrictions on a per-user basis instead of computer-wide, then use the Group Policy path \User Configuration\Policies\Administrative Templates\System\Removable Storage Access. Within the Group Policy Editor, navigate to \Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access. With SEP 14.3 RU1, we have enhanced our parsing technology to prevent threats utilizing Office files such as Excel to deliver. Now then: from one of your Active Directory Domain Services domain controllers or from an administrative workstation, open the Group Policy Management Console and link a new GPO to the appropriate target (domain, OU, etc.). Symantec Endpoint Protection (SEP) has several new features that enable better protection and prevention of targeted attacks that utilize living-off-the-land techniques including ransomware and supply chain threats. Step-by-Step Guide to Controlling Device Installation Using Group Policy.
HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers.
Fortunately, Windows Server 2008 R2 provides us administrators with a method for easily disabling USB drive access on Active Directory domain assets.