Problem solve Get help with specific problems with your technologies, process and projects.

Secure removable storage devices via Group Policy in Vista

While disabling or "gluing" a USB drive can help to prevent serious threats from entering your network, there is always a workaround. However, Vista allows you to disable such drives using Group Policy. Find out how it works in this tip.

Check out the second part of this series on the security of removable storage devices via Group Policy here.

Restricting removable devices through Group Policy isn't a perfect security solution to your network since a user who has already installed a storage device, like a USB drive, can continue to use it. However, there are more granular settings available that allow you to restrict a particular removable storage device by device ID.

It is hard to say which security exploit is the biggest

Group Policy security
Group Policy deployment for server hardening

Active Directory Security School

threat to your organization's data. I tend to think that removable storage devices, USB drives in particular, are near the top of the list for several reasons. First, USB storage devices are very easy to come by. For instance, I was checking out at the grocery store last week and the store was selling 4 GB USB drives for under $50 in the impulse item section.

Second, the simple fact that you can fit up to 4 GB of data on a USB drive means users can bring something as large as an application into the organization. It also means they could steal up to 4 GB worth of data from your network at a time. Any data that a user can access could easily be copied to one of these drives. Its small size makes it very easy for a user to smuggle the drive in and out of the building.

Over the last few years, I have spoken to quite a few administrators who share my opinion about the dangers of USB storage devices. The most common solution among these particular administrators was to disable the USB ports on workstations. Some newer machines allow you to disable USB ports through the BIOS, but most older machines do not offer this capability. In such cases, a favorite solution is often to fill the USB port with glue to keep it from being used.

While those types of techniques do work, they have a few drawbacks. For starters, those particular techniques are labor intensive, meaning that they are expensive to implement. Another problem is that disabling USB ports does not completely solve the problem of users having access to removable media. Users can easily use an external firewire hard drive, recordable DVD drive as an alternative.

Out of all of these techniques, perhaps the biggest disadvantage is that permanently disabling USB ports keeps users from using them and makes the ports inaccessible to the support staff. In addition, occasionally there are legitimate business reasons for leaving a USB port enabled. For example, some jobs may require users to have a USB scanner attached to their PC.

Fortunately, one of Microsoft's goals in creating Windows Vista and Windows Server 2008 (Longhorn) was to give administrators better control over the way workstation hardware is used. It is now possible to control access to removable devices via Group Policy.

The Group Policy settings that allow you to restrict access to USB storage devices are only compatible with Windows Vista. For the time being, this means you will have to set the policies at the local computer level. When Windows Server 2008 is released, you will be able to set these policies at the domain, site or OU level (assuming you have a Windows Server 2008 domain controller).

To access the necessary Group Policy settings, you must open the Group Policy Object Editor. To do so, select the Run command from the Start | All Programs | Accessories menu. Next, enter the MMC command at the Run prompt. This will cause Windows to open an empty Microsoft Management Console. When the console opens, select Add / Remove Snap-In from the console's File menu. Windows will display a list of all available snap-ins. Select the Group Policy Object option from the list of snap-ins and click the Add button. By default, this snap-in will be linked to the Local Computer policy, so just click Finish followed by OK.

The Local Computer policy will now be loaded into the console. Now, navigate through the console tree to Computer Configuration | Administrative Templates | System | Device Installation | Device Installation Restrictions. When you do, the details pane will display several restrictions related to installing hardware devices, as shown in Figure A.

Figure A You can use the Group Policy Object Editor to restrict the installation of hardware devices.

As you can see in the figure, there are quite a few settings related to restricting device installation. The settings are not necessarily related specifically to removable devices, but rather to hardware devices in general. The basic idea is that if you can keep users from installing devices, then you can prevent them from using any device that you have not specifically enabled.

When it comes to removable devices, though, pay particular attention to two policy settings: The first setting is Allow Administrators to Override Device Installation Restrictions. If you implement any sort of device restrictions, then it is imperative that you enable this setting. Otherwise, even an administrator will not be able to install new hardware on a workstation.

The second important setting is Prevent Installation of Removable Devices. If you enable this policy, then users will not be able to install removable devices. If a user has already used a removable device in the system, though, drivers will exist for that removable device and the user may continue to use it. However, the user will never be able to update the device's driver.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.

Dig Deeper on Windows systems and network management