Using USB drives to transmit data is still a very convenient way for many of us, despite how popular the cloud storage services are in the internet age. It’s easy and practical but is also hard to control how it behaves especially when you plug in one from the unknown source which may contain stuff you don’t know. Since the security of USB is fundamentally broken, having control over how USB storage behaves seems so essential now in a business environment.
We introduced a tool called USB Flash Drives Control that provides easy access to control the way how these USB drives are used when they are plugged into our computer. We’ve also shared a tip that enables write protection on USB drives. Now, let’s control it at network domain level through Group Policy.
User Level
Open Group Policy and go to the following location:
User Configuration → Administrative Templates → System → Removable Storage Access
Enabling “Removable Disks: Deny read access” policy prevents authenticated user from reading any USB storage drives. You can still write stuff on it unless “Removable Disks: Deny write access” policy is enabled.
If you want to disable all access to not only USB but all types of removable disks, enable “All Removable Storage classes: Deny all access” policy.
You can’t disable Execute access at user policy level. It’s only available at the machine level.
Machine Level
If you want to disable access to USB drive at machine level regardless of which user signed into the computer, open Group Policy and go to the following location instead:
Computer Configuration → Administrative Templates → System → Removable Storage Access
In addition to Read and Write access control, you can also use “Removable Disks: Deny execute access” policy to disable execute access to USB drive or all types of removable storages.
Comparing to Read and Write access, it’s more important having the ability to disable the execute access so the malicious code that comes with the USB drive won’t be able to run and damage your computer.
The Read/Write control policies work for Windows Vista and above but you need Windows 7 or above to be able to disable the execute access to the removable storage.
If you are a home user but still want to have the control over these USB disks, give it a try USB Flash Drives Control.
Can you reject the USB virtual machine?
Are you talking about the VMs saved on USB? since they are just reading and writing, it should be running fine.