Hayden

You can implement security policies using Active Directory Group Policy Objects (GPO) to block write permissions on USB storage devices while allowing read access only. This is an effective security measure for preventing data exfiltration and malware infections.

 

 

Method 1: GPO Configuration via Computer Configuration

Step-by-Step Setup Process

  1. Open Group Policy Management Console
    • Run gpmc.msc on your domain controller
    • Create a new GPO or edit an existing one
  2. Navigate to GPO Policy Path 
    Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access
  3. Configure USB Write Block Policy
    • Double-click the Removable Disks: Deny write access policy
    • Set to Enabled
    • Click Apply > OK

Available Policy Options

Policy Name Function Recommended Setting
Removable Disks: Deny write access Block USB write permissions Enabled
Removable Disks: Deny read access Block USB read permissions Disabled
Removable Disks: Deny execute access Block executable files on USB Enabled (enhanced security)
All Removable Storage classes: Deny all access Block all removable storage devices As needed

GPO Application and Linking

  1. Link GPO to OU
    • Right-click target OU → “Link an Existing GPO”
    • Select your created GPO
  2. Force Policy Update 
    gpupdate /force

 

 

Method 2: GPO Configuration via User Configuration

Configuration Path

User Configuration > Policies > Administrative Templates > System > Removable Storage Access

Computer Configuration vs User Configuration Comparison

Aspect Computer Configuration User Configuration
Scope All users on the computer Specific users (any computer)
Priority High Low
Management Complexity Low High
Recommended Use General security policies User-specific differentiation

 

 

Method 3: Direct Registry Configuration

Registry Key Location

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices

Manual Registry Setup

  1. Run regedit
  2. Navigate to the above path (create keys if they don’t exist)
  3. Create DWORD values:
Value Name Data Function
Deny_Write 1 Block USB write access
Deny_Read 0 Allow USB read access
Deny_Execute 1 Block executable files

 

 

Method 4: Exception Handling for Specific Users/Groups

Security Filtering Configuration

  1. Create Exception Group
    • Create a new security group in Active Directory Users and Computers
    • Example: “USB_Access_Allowed”
  2. Configure GPO Security Filtering
    • Select GPO → Security Filtering section
    • Add “USB_Access_Allowed” group
    • Go to Delegation tab → Click Advanced
    • Set “Apply group policy” permission to Deny for this group

Permission Settings Table

Group Read Apply Group Policy Result
Authenticated Users Allow Allow Policy applied
USB_Access_Allowed Allow Deny Policy not applied
Domain Computers Allow Read policy only

 

 

Method 5: Allow Only BitLocker-Protected Drives

Policy Configuration

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives
  • Enable Deny write access to removable drives not protected by BitLocker
  • Only allows write access to BitLocker-encrypted USB drives

 

 

Configuration Verification and Testing

Verify Policy Application

# Check currently applied policies
gpresult /r

# Detailed policy information
gpresult /h report.html

Functional Testing

  1. Connect USB device
  2. Attempt to copy files
  3. Expected results:
    • Read: Normal operation
    • Write: “Access is denied” error or “Administrator permission required” message

 

 

Troubleshooting

When Policy Doesn’t Apply

Issue Solution
GPO not applying Verify Authenticated Users has Read permission
Some users not affected Recheck Security Filtering configuration
Not applying immediately Run gpupdate /force and reboot

Registry Key Creation Errors

  • Manually create StorageDevicePolicies key if it doesn’t exist
  • Ensure running with administrator privileges

 

 

Related Links

 

Leave a Reply