How to Control Access to Removable Storage Sevices in Windows 7

An important security consideration for any desktop administrator is how to keep data secure. With the dramatic increase in the use of removable storage devices, Gigabytes of data can be copied from secure storage locations onto USB flash drives, CD-Rs, DVD-Rs, etc. Most PCs are built with these devices as standard equipment and it is difficult to find models without them. Some CD and DVDs contain harmful executables that if executed can compromise system security.

Microsoft Windows 7 can control the use of such devices with Local and Group Policies.  In the Computer Configuration/Administrative Templates/System /Removable Storage Access node are settings that can specify what users can do with removable storage. The CD and DVD: Deny read access, Deny write access, and Deny execute access settings prevent optical drives from copying data. Even Floppy drives can be managed with similar settings. Tape drives and Removable Disks (USB hard drives) are also controlled with the same options.  WPD Devices such as media players, cellular phones, and CE devices can be limited as well. In order to restrict a specific device from a specific manufacturer a specific device guide can be specified in the Custom Classes: Deny read access and Deny write settings. The device guid for any device can be determined by selecting the properties of the device in Device Manager, clicking the Details tab and selecting the Device Class drop down list. Select the “Device class guid” property and the specific device class guid will be displayed.

If you simply want to ban the use of any type of Removable Storage you can enable the “All Removable Storage classes: Deny all access” setting and breathe easier knowing that you done a lot to improve data security on Windows Desktops. In an Active Directory environment Group Policy can be used to apply these settings to all computers in a Domain, Site or Organizational Unit.

-Mark

In this article

Join the Conversation