While USB drives and other portable media are convenient, data protection policies may prohibit administrators or other individuals from connecting storage devices to servers.
Windows Server introduces a Group Policy setting that can prohibit the read or write activities of floppy, CD and DVD drives, tape, and devices such as mobile phones, music players, and cameras. They can be collectively prohibited as well, so all classes of removable storage can be applied to this rule.
This functionality is available with Windows Server and Windows Vista, but it is ignored in previous versions of Windows. For example, if all computer accounts are in one organizational unit OU , the Computer Configuration equivalent of this configuration can be made in a GPO and linked to the OU for a consistent configuration across all computer accounts in that OU.
This OU contains the computers. Connect any USB device to the computer and you should see the message as Access is denied. The policy that we applied will prevent users from mounting any class of removable media. I would like to disable all removable media access, but this is not practical for business. Is there a way to disable all access, but allow the administrators to override so that someone can use a USB stick and had the admin allow it with their credentials?
Great Sharing Prajwal.. Though disabling USB devices by using group policies if effective, it is not the most user-friendly or easy way to go about it.
Nor is it the most secure and effective method. CurrentWare AccessPatrol is an endpoint security software that allows administrators to set endpoint device policies on their network. This software applies to more than just USB devices, as it can be used to block or allow smart phones, sound cards, adapters, bluetooth devices and much more.
From one central console, administrators can apply endpoint security policies and they can even run reports to see endpoint activity in their network.
It also helps with permitting or denying path access to our fileservers and application whitelisting. Thanks for the article. Hi Prajwal, I am a junior network administrator, my boss wants keyboard port delete in disabled, can mr help me?
Could I force a policy refresh using Task Scheduler on the client machines? Do you see any issues with this idea? This will need a system restart to take effect. Just an idea. Scratch that. How many clients are going to hit your DCs though at the same time? Around 20 users would be the maximum.
No real impact then. Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. You can do this through PowerShell:.
Restart your computer and try to connect your USB storage device. To do this, you need to make changes to the registry through the GPO. These settings can be deployed to all domain computers.
You can use a certain registry setting to allow a specific approved USB storage drive to connect to your computer. You can delete all registry keys for previously connected USB flash drives, except for those you need. Have you test it on Windows 10? I have tested it on Windows 10 Pro, but it is not work. The policy is applied but the USB is not denied.
AD is Windows Server r2 and Windows 10 admx is installed. I have not tested this policy on clients Windovs Can you check that the policy is working correctly on older clients Win 7, 8. I configured the GPO but it is not working on Win7. DC is R2. By mistake i made the same but i evoked the policy but the USB is still blocked im also using win server R2.
0コメント