You have two main tactics, firstly, to prevent users from installing USB
drivers, and secondly twart them from reading from a USB device. The
problem with preventing installing a driver is that one may have been
installed already; in which case policy will be ineffective.
My preferred tactic is to foil people reading from the USB drive.
The problem here is they can still write, or even execute programs on the
drive. Good news, I have a Plan B whereby we employ sister group policies to disable write, and
separately, to disable execute. The only problem now is that nobody
can use a USB drive.
If this is not the outcome you want, then set these three policies in the
User Configuration (rather than the Computer section), and deny them to administrators. This double
negative means that administrators can use the USB ports unhindered, while ordinary users
are denied access.
This policy setting prevents the installation of devices that are not
specifically described by any other policy setting.
If you enable this setting, Windows is prevented from installing the device
driver.
Note 1: As with many Windows 8 Group Policies, check the
logic, for instance, Prevent -- > Enable. This means you cannot
use the USB drive.
Note 2: In keeping with a modern trend there is no need to
reboot, or even logoff before this policy bites. You may however, like
to run the command-line Gpupdate on the Windows 8 client.
Setting group policies in either the Computer, or User Configuration can prevent people from
reading (or writing) to a USB device, or copying files to the USB stick. Using a policy
in the Computer Configuration section is simple and absolute. While
configuring 'Removable disks: Deny read access' in the User Section is more
flexible, it leaves you open to permissions problems, or to be realistic,
opening the door for administrators to remove data from machines.
Normally you would also Enable the 'Deny execute access', and 'Deny write
access' next-door group policies. As I mentioned earlier, you could
also set the same policies in the User Configuration.
Note 3: To reverse this group policy I set Removable disks:
Deny read access, back to 'Not configured' rather than setting it to:
'Disable'
Guy Recommends: SolarWinds Engineer's Toolset v10
This
Engineer's Toolset v10 provides a comprehensive console of 50 utilities
for troubleshooting computer problems. Guy says it helps me
monitor what's occurring on the network, and each tool teaches me more about how the
underlying system operates.
There are so many good gadgets; it's like having free rein of a
sweetshop. Thankfully the utilities are displayed logically: monitoring,
network discovery, diagnostic, and Cisco tools. Try the SolarWinds Engineer's Toolset now!
Another strategy to frustrate users with USB sticks copying files
from your Windows 8 computer is to disable the USBSTOR service in the
registry. This method highlights the fact that a knowledgeable and determined
local administrator could reverse this attempt to disable USB access -
unless your Group Policy disables regedit too.
Anyway, you can research thus:
This is my least favourite method, there is an element of closing the door
after the horse has bolted, because it won't work if the user has already
used their USB stick. Also users are likely to research methods to
reverse this process.
Launch Windows Explorer, and then browse the %SystemRoot%\Inf
folder.
Locate the Usbstor.inf file, right-click then select Properties.
You want the Security tab.
Click on Edit [Key Point] For the Group or user names set 'Deny'
Full Control.
N.B. Repeat the 'Deny' procedure for Usbstor.pnf.
Registry Research For Windows 8 Group Policy
Experimenting with USBSTOR led me to wonder where in the registry the other
group policies tattooed their settings. I found the above
Disable USB
settings at this place in the registry:
My technique was to launch Regedit and export the entire registry, I called
the file: USBEnable.reg. Next I made the change to, 'Removable disks:
Deny read access', then I exported it again into USBDisable.reg. Next
I ran either WinDiff or this PowerShell script:
Note 4: The script took about 15 minutes to complete.
You could improve on my experiment by exporting only the HKEY_CURRENT_USER
branch of the registry.
SolarWinds' Config Generator is a free tool, which puts you in charge of
controlling changes to network routers and other SNMP devices.
Boost your network performance by activating network device features
you've already paid for.
Guy says that for newbies the biggest benefit of this free tool is that
it will provide the impetus for you to learn more about configuring the SNMP
service with its 'Traps' and 'Communities'. Try Config Generator now - it's
free!
Get a Test Machine If possible get a test Windows 8 machine
and use Gpedit, rather than
risking a domain OU with
GPMC. Your final mission may well be a group policy in a domain, but this
does introduce extra layers for troubleshooting, for example Domain
Controller replication and update delays.
Like their predecessors, Windows 8 Group policies make changes to the
registry, a fact which you can turn to your advantage by creating your own
.adm template based on registry keys, then importing these settings into
your Group Policy. That said this advanced technique is only useful if
there is no existing policy in the Administrative Template section.
Get a Simple Policy Working If a group policy that I am
attempting to apply does not work, I go back to basics and get a simple
policy to work just to make sure I am not making a fundamental mistake.
Also a strange thing happens once I get one policy working it seems easier
to get other more tricky settings to do what I ask of them.
Read the Policy Carefully Be careful with double negatives in group policies,
for instance, 'Turn off xyz...' Disabled, would mean a user gets xyz.
Check your logic with a quick look at the description of a policy you are
about to apply.
Prohibit connection to roaming Mobile Broadband networks.
Internet Explorer is a fertile area, for example: 'Disable change
proxy settings'
Enlightened administrators can find ways of using Windows 8 group
policies to make life easier for their users, for example, on low-spec
machines 'Always render print jobs on the server'.
»
Summary of
Windows 8 Disable USB Group Policy Settings
If you need to increase security by preventing users from attaching their USB sticks,
then there are four group policies to help you achieve your goal.
You can prevent installation of removable device drivers. But this may
not work, if a USB stick has been attached to the Windows 8 machine
previously, and the driver is already there. Thus my first choice
would be a policy to disable the ability to read from the USB drive.
If you like this page then please share it with your friends
Guy Recommends:
SolarWinds' NPM - Network Performance Monitor
SolarWinds' performance monitor is designed for detecting network outages,
making it easy to see what's working, and what needs your attention.
This utility guides you through creating network maps; it also helps
identifying whether the
root cause is faulty equipment, or resource overload. Give NPM a try.
