Group Policy Block USB Access Including Cellphones

(Last Updated On: 2019-08-21)

Probably one of the biggest known threats out there know to all administrators is Removable Storage (USB Access). Not only does it bring the potential for Viruses and much other harmful Software. This also makes it easy for a disgruntled user to take a large amount of data quick and easy. These days it is even worse with mobile devices like Cell Phones that are able to bypass the USB blocks that have been put in place. So how do we Block Access to USB and CellPhones?

Windows Portable Devices

Windows Portable Devices (WPD) enables computers to communicate with attached media and storage devices. WPD provides a flexible, robust way for computers to communicate with music players, storage devices, mobile phones, cameras, and many other types of connected devices. This system supersedes both Windows Media Device Manager and Windows Image Acquisition.

Quoted from Microsoft

This is what allows a users phone to still connect even though USB Access has been blocked. It will pick up Normally like your Keyboard or Printer. The Device you are connecting Example the Cell Phone will handle the Storage access. Thus even if your hiding drives from user it won’t work because there are no Drive letters.

Block USB Access

There are various ways to block USB access. A suggestion before just implementing willy nilly. Make sure your AD is planned out. Decide whether you are going to block USB access on the PC Level or on the User Level. I do not suggest doing it on both at the same time as users and computer is hopefully in different OU’s. Troubleshooting when you are applying policies from different locations can get very Tricky and Time-consuming.

Personally, when creating a Policy I use the following abbreviation to differentiate between where the Group Policy is applied.

CC: Computer Configuration
UC: User Configuration
DC: Dual Configuration (Both Computer and User Configs)

CC: Block USB Access

Group Policy

To Block access on the Computer Configuration browse to:
Policies→Administrative Templates→System→Removable Storage Access

You will be presented with multiple options on which device you can block and on which level you can block it. It is important to read the policy correctly. By Enabling “All Removable Storage classes: Deny all access” you are actually blocking access to all Removable Storage. By Disabling the setting will actually open access to All Removable Storage.

Note if your goal is specifically targeted at Cell Phone or Portable Players you need to look at the WPD Settings.

Group Policy Name
All Removable Storage: Allow direct access in remote sessions
All Removable Storage classes: Deny all access
CD and DVD: Deny execute access
CD and DVD: Deny read access
CD and DVD: Deny write access
Custom Classes: Deny read access
Custom Classes: Deny write access
Floppy Drives: Deny execute access
Floppy Drives: Deny read access
Floppy Drives: Deny write access
Removable Disks: Deny execute access
Removable Disks: Deny read access
Removable Disks: Deny write access
Tape Drives: Deny execute access
Tape Drives: Deny read access
Tape Drives: Deny write access
Time (in seconds) to force reboot
WPD Devices: Deny read access
WPD Devices: Deny write access

It is important to know that each one of the above settings creates a Registry entry.
This registry Entry is in the Hive: HKEY_Local_Machine.
The Registry path is: Software\Policies\Microsoft\Windows\RemovableStorageDevices\

If you want more information on the Registry entries is creates you can visit getadmx.com. Although applying it though the GPO is much easier than recreating the entries manually.

Registry

Aside from the above-mentioned Registry keys. There is another way of stopping access to USB Devices. Note this does not stop Cell Phones from appearing as they fall under the Category WPD and uses a different way of connecting. It is important to know this as it is easy to set up but has a lot of problematic holes in it.

One of them is that if you disabled access and a new device connects the registry entry gets auto changed to allow access. Only once the Group Policy refreshes the key will revert to Disabled again.

When creating the Entry Open Computer Configuration and browse to:
Preferences → Windows Settings → Registry
On the Right-hand Panel, Alternate Click and choose New → Registry Item.

As per below Picture Update the settings with the following:

USB Block

Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SYSTEM\CurrentControlSet\Services\USBSTOR
Value Name: Start
Value Type: REG_DWORD
Value Data:
-To Enable Access Make the Value: 3
-To Disable Access Make the Value: 4

UC: Block USB Access

Group Policy

To Block access on the User Configuration browse to:
Policies→Administrative Templates→System→Removable Storage Access

The rest of the setting you see there will be Exactly the Same as the Computer configuration.

The only difference between UC and CC is the registry entries is created in a different location.
This registry Entry is in the Hive: HKEY_Current_User. 
The Registry path is: Software\Policies\Microsoft\Windows\RemovableStorageDevices\

Registry

With regards to registry setting for the user again everything is exactly the same except where it gets created.

When creating the Entry Open User Configuration and browse to:
Preferences → Windows Settings → Registry
On the Right-hand Panel, Alternate Click and choose New → Registry Item.

Even the Registry Entry you fill in is the same:
Hive: HKEY_LOCAL_MACHINE
Key Path: SYSTEM\CurrentControlSet\Services\USBSTOR

Priority

One of the things with GPO is which priority takes precedence. For most cases where you work with only Computer Configuration or Only User configuration. It will make the changes from the last OU with config for that specific Value.

But what happens when the Computer Takes the Last config and the User that logs on Takes a different config. Which Policy will take Precedence?

Well, I did a few tests specifically working with USB access. What I found was the HKLM Administrative Templates applied Registry Keys will take Precedence over HKCU Administrative Templates applied Registry Keys. Even if you explicitly deny on user-level it will still allow access if the Computer Level Explicitly allows access. In this case, you will have to rely on the “Start” Value in the USBSTOR to deny access to a USB Device.

CC: Deny EnabledUC: Deny EnabledUSB Deny Start=Access Denied by CC: Deny Enabled
CC: Deny EnabledUC: Deny Enabled USB Allow Start=Access Denied by CC: Deny Enabled
CC: Deny EnabledUC: Deny Disabled USB Deny Start=Access Denied by CC: Deny Enabled
CC: Deny EnabledUC: Deny Disabled USB Allow Start=Access Denied by CC: Deny Enabled
CC: Deny DisabledUC: Deny Enabled USB Deny Start=Access Denied by: USB Deny Start
CC: Deny DisabledUC: Deny Enabled USB Allow Start=Access Allowed by: CC: Deny Disabled
CC: Deny DisabledUC: Deny Disabled USB Deny Start=Access Denied by: USB Deny Start
CC: Deny DisabledUC: Deny Disabled USB Allow Start=Access Allowed by: All

If you liked what you read Please Share.

I’d love it if you followed me on Twitter and Facebook.

Also, feel free to subscribe to my posts by email. Thanks for reading.

Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *