Securing removable media
Removable media can be a dangerous source of information leakage. On one hand, it may contain sensitive data which may be disclosed to unknown parties if stolen or lost while, on the other hand, it may contain viruses, malware and other malicious programs which can infect your system or network! You can block users from writing data to removable media, prevent them from reading data or running programs stored on removable media using Disk Policies.
In a network setup with domain controllers edit the Domain Group Policy but for a single computer system edit the Local Group Policy by typing gpedit.msc in the Start search text box.
In the Local Group Policy Editor, expand Computer Configuration and then Administrative Templates. Next expand System and Removable Storage Access.
The main settings are:
Time (in seconds) to force reboot – Sets the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in access rights to removable storage devices.
CD and DVD – This policy setting denies execute, read and write access to the CD and DVD removable storage class.
Custom Classes – This policy setting denies read and write access to custom removable storage classes. Lets you specify removable storage classes by entering the class GUID.
Floppy Drives – This policy setting denies execute, read and write access to the Floppy Drives removable storage class, including USB Floppy Drives.
Removable Disks – This policy setting denies execute, read and write access to removable disks.
All Removable Storage Classes – This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class.
All Removable Storage – This policy setting grants normal users direct access to removable storage devices in remote sessions.
Tape Drives – This policy setting denies execute, read and write access to the Tape Drive removable storage class.
WPD Devices – This policy setting denies read and write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
For example, if you want to prohibit users from executing programs stored on a USB flash drive while connected to your system, you would enable Removable Disks: Deny execute access policy. Remember to run gpupdate from the command prompt so that the new policy settings are updated. Also, you may need to disconnect and reconnect the USB flash drive!
