Hi friends, Hope you all are doing good. Today we will learn one more thing in our blog.
Today we are going to discuss how to block the USB ports in laptops of Desktops computers.
Question is why someone wants to block the ports? Answer is to prevent theft of your valuable data through any USB devices.
Assume you are working as an iT admin in an organization which does a product designing and you want to prevent the designs being theft from any laptops, desktops or workstation computers.
Mehthod-1-Using device Manager
So this is the easiest method to disable the USB ports. just follow the steps below.
Step -1 – Open the device manager … Now there are two ways you can open the device manager.
Click on Start- Run or press (Cltr + R) & then type “devmgmt.msc) & click OK.
OR
Right click on my computer and click on manage option.
A device manager window will pop up as shown in the screen below.
Now click on device manager & then click on “Universal serial Bus Controllers”
Now right click on the USB port you wan to disable and click on disable.. If prompted click yes.
Please note in above method can be executed through administrator account only. Anyone having admin access the enable the settings.
Mehthod-2-Using group policy editor
n Windows, you can flexibly manage access to external drives (USB, CD / DVD, etc.) using Active Directory Group Policies (we do not consider a radical way to disable USB ports through BIOS settings). You can block only USB drives, while other types of USB devices (mouse, keyboard, printer, USB to COM port adapters) that are not recognized as a removable disk will be available to the user.
We are going to block USB drives on all computers in a domain OU named Workstations. You can apply the USB restriction policy to the entire domain, but this will affect the servers and other technological devices.
- Open the GPO management console (
gpmc.msc
), find the Workstations container in the Organizational Unit structure, right-click on it, and create a new policy (Create a GPO in this domain and Link it here);
2.Set the GPO name “Disable USB Access”;
3.Switch to GPO edit mode (Edit).
There are settings for blocking external storage devices in both the User and Computer Configuration sections of the GPO editor:
- User Configuration -> Policies -> Administrative Templates -> System -> Removable Storage Access.
- Computer Configuration -> Policies -> Administrative Templates -> System -> Removable Storage Access.
- In the Removable Storage Access section, there are several policies allowing you to disable the use of different types of storage classes: CD/DVDs, FDD, USB devices, tapes, etc.
- CD and DVD: Deny execute access.
- CD and DVD: Deny read access.
- CD and DVD: Deny write access.
- Custom Classes: Deny read access.
- Custom Classes: Deny write access.
- Floppy Drives: Deny execute access.
- Floppy Drives: Deny read access.
- Floppy Drives: Deny write access.
- Removable Disks: Deny execute access.
- Removable Disks: Deny read access.
- Removable Disks: Deny write access.
- All Removable Storage classes: Deny all access.
- All Removable Storage: Allow direct access in remote sessions.
- Tape Drives: Deny execute access.
- Tape Drives: Deny read access.
- Tape Drives: Deny write access.
- Windows Portable Device – this class includes smartphones, tablets, players, etc.
- WPD Devices: Deny write access.
As you can see, for each device class you can deny the launch of executable files (protect computers against viruses), prohibit reading data, and writing/editing files on external storage.
You can implement the “strongest” restrict policy All Removable Storage Classes: Deny All Access to completely disable the access to all types of external storage devices. To enable this policy, open its properties and change from Not Configured to Enabled.
After enabling and updating the GPO settings on client computers (gpupdate /force), the Windows will detect the connected external devices (not only USB devices, but also any external drives), but when trying to open them, an error will appear:
Location is not available Drive is not accessible. Access is denied.
Tip. The same restriction can be set using the registry by creating DWORD parameter Deny_All with the value 00000001 under the registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\RemovableStorageDevices.
For example, to prevent writing data to USB flash drives and other types of USB removable storage, you should enable the policy Removable Disk: Deny write access.
In this case, users will be able to read the data from the USB flash drive, but when they attempt to write information to it, they will receive an access denied error:
Destination Folder Access Denied You need permission to perform this action
You can prevent executable and script files from running from USB drives using the Removable Disks: Deny execute access policy.
Hope this article will help you. Tech-dial is startup which provide free consultation & on site technical support. In case you have any queries you can reach us on techdialpune@gmail.com