Probably one of the biggest known threats out there know to all administrators is Removable Storage (USB Access). Not only does it bring the potential for Viruses and much other harmful Software. This also makes it easy for a disgruntled user to take a large amount of data quick and easy. These days it is even worse with mobile devices like Cell Phones that are able to bypass the USB blocks that have been put in place. So how do we Block Access to USB and CellPhones?
Windows Portable Devices
Windows Portable Devices (WPD) enables computers to communicate with attached media and storage devices. WPD provides a flexible, robust way for computers to communicate with music players, storage devices, mobile phones, cameras, and many other types of connected devices. This system supersedes both Windows Media Device Manager and Windows Image Acquisition.
Quoted from Microsoft
This is what allows a users phone to still connect even though USB Access has been blocked. It will pick up Normally like your Keyboard or Printer. The Device you are connecting Example the Cell Phone will handle the Storage access. Thus even if your hiding drives from user it won’t work because there are no Drive letters.
Block USB Access
There are various ways to block USB access. A suggestion before just implementing willy nilly. Make sure your AD is planned out. Decide whether you are going to block USB access on the PC Level or on the User Level. I do not suggest doing it on both at the same time as users and computer is hopefully in different OU’s. Troubleshooting when you are applying policies from different locations can get very Tricky and Time-consuming.
Personally, when creating a Policy I use the following abbreviation to differentiate between where the Group Policy is applied.
CC: Computer Configuration
UC: User Configuration
DC: Dual Configuration (Both Computer and User Configs)
CC: Block USB Access
Group Policy
To Block access on the Computer Configuration browse to:
Policies→Administrative Templates→System→Removable Storage Access
You will be presented with multiple options on which device you can block and on which level you can block it. It is important to read the policy correctly. By Enabling “All Removable Storage classes: Deny all access” you are actually blocking access to all Removable Storage. By Disabling the setting will actually open access to All Removable Storage.
Note if your goal is specifically targeted at Cell Phone or Portable Players you need to look at the WPD Settings.
Group Policy Name |
All Removable Storage: Allow direct access in remote sessions |
All Removable Storage classes: Deny all access |
CD and DVD: Deny execute access |
CD and DVD: Deny read access |
CD and DVD: Deny write access |
Custom Classes: Deny read access |
Custom Classes: Deny write access |
Floppy Drives: Deny execute access |
Floppy Drives: Deny read access |
Floppy Drives: Deny write access |
Removable Disks: Deny execute access |
Removable Disks: Deny read access |
Removable Disks: Deny write access |
Tape Drives: Deny execute access |
Tape Drives: Deny read access |
Tape Drives: Deny write access |
Time (in seconds) to force reboot |
WPD Devices: Deny read access |
WPD Devices: Deny write access |
It is important to know that each one of the above settings creates a Registry entry.
This registry Entry is in the Hive: HKEY_Local_Machine.
The Registry path is: Software\Policies\Microsoft\Windows\RemovableStorageDevices\
If you want more information on the Registry entries is creates you can visit getadmx.com. Although applying it though the GPO is much easier than recreating the entries manually.
Registry
Aside from the above-mentioned Registry keys. There is another way of stopping access to USB Devices. Note this does not stop Cell Phones from appearing as they fall under the Category WPD and uses a different way of connecting. It is important to know this as it is easy to set up but has a lot of problematic holes in it.
One of them is that if you disabled access and a new device connects the registry entry gets auto changed to allow access. Only once the Group Policy refreshes the key will revert to Disabled again.
When creating the Entry Open Computer Configuration and browse to:
Preferences → Windows Settings → Registry
On the Right-hand Panel, Alternate Click and choose New → Registry Item.
As per below Picture Update the settings with the following:
Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SYSTEM\CurrentControlSet\Services\USBSTOR
Value Name: Start
Value Type: REG_DWORD
Value Data:
-To Enable Access Make the Value: 3
-To Disable Access Make the Value: 4
UC: Block USB Access
Group Policy
To Block access on the User Configuration browse to:
Policies→Administrative Templates→System→Removable Storage Access
The rest of the setting you see there will be Exactly the Same as the Computer configuration.
The only difference between UC and CC is the registry entries is created in a different location.
This registry Entry is in the Hive: HKEY_Current_User.
The Registry path is: Software\Policies\Microsoft\Windows\RemovableStorageDevices\
Registry
With regards to registry setting for the user again everything is exactly the same except where it gets created.
When creating the Entry Open User Configuration and browse to:
Preferences → Windows Settings → Registry
On the Right-hand Panel, Alternate Click and choose New → Registry Item.
Even the Registry Entry you fill in is the same:
Hive: HKEY_LOCAL_MACHINE
Key Path: SYSTEM\CurrentControlSet\Services\USBSTOR
Priority
One of the things with GPO is which priority takes precedence. For most cases where you work with only Computer Configuration or Only User configuration. It will make the changes from the last OU with config for that specific Value.
But what happens when the Computer Takes the Last config and the User that logs on Takes a different config. Which Policy will take Precedence?
Well, I did a few tests specifically working with USB access. What I found was the HKLM Administrative Templates applied Registry Keys will take Precedence over HKCU Administrative Templates applied Registry Keys. Even if you explicitly deny on user-level it will still allow access if the Computer Level Explicitly allows access. In this case, you will have to rely on the “Start” Value in the USBSTOR to deny access to a USB Device.
CC: Deny Enabled | UC: Deny Enabled | USB Deny Start | = | Access Denied by CC: Deny Enabled |
CC: Deny Enabled | UC: Deny Enabled | USB Allow Start | = | Access Denied by CC: Deny Enabled |
CC: Deny Enabled | UC: Deny Disabled | USB Deny Start | = | Access Denied by CC: Deny Enabled |
CC: Deny Enabled | UC: Deny Disabled | USB Allow Start | = | Access Denied by CC: Deny Enabled |
CC: Deny Disabled | UC: Deny Enabled | USB Deny Start | = | Access Denied by: USB Deny Start |
CC: Deny Disabled | UC: Deny Enabled | USB Allow Start | = | Access Allowed by: CC: Deny Disabled |
CC: Deny Disabled | UC: Deny Disabled | USB Deny Start | = | Access Denied by: USB Deny Start |
CC: Deny Disabled | UC: Deny Disabled | USB Allow Start | = | Access Allowed by: All |