SOLVED: How To Block Write Access To USB Drives

Most companies are worried about data exfiltration which is a fancy CTO / CISO way of saying data leaving your company.  It used to be that most security and IT staff spent their days focusing nearly exclusively on hacks coming from outside the company, but today we see more and more internal hacks.

Through disgruntled employees, state actors having a hacker / spy get hired inside the company, or just good old stupidity, it is easy to have your valuable data wrongly taken outside of corporate control.

One way to make it more difficult for people to exfiltrate data is to block write access to USB disks.  Microsoft has made this retaliative easy to do through Group Policy or registry entries.

Note that the this GPO or registry entry can be applied to the user instead of the machine, which might make it more palatable to some and more practical in the real world.

GPO To Block Write Access To USB Storage

The path to the Group Policy to disable write access to a USB drive is:

Computer Configuration or User Configuration > Policies > Administrative Templates > System > Removable Storage Access

Registry To Block Write Access To USB Storage

The path to the Group Policy to disable write access to a USB drive is:

HKLM or HKCU > SOFTWARE > Policies > Microsoft > Windows >

RemovableStorageDevices

  1. If you don’t see a key named RemovableStorageDevices , you will have to create it
  2. Right click and create a NEW KEY named {53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
  3. Set is as a DWORD with a value of 1

If you want to control read write or execute on other devices, here is the list of registry entries.

For example, if you want to block read access to USB sticks or drives then you would set

HKLM or HKCU > SOFTWARE > Policies > Microsoft > Windows > RemovableStorageDevices > {53f5630d-b6bf-11d0-94f2-00a0c91efb8b} = 1

Policy name Device Class GUID Registry parameter name
Floppy Drives:
Deny read access
{53f56311-b6bf-11d0-94f2-00a0c91efb8b} Deny_Read
Floppy Drives:
Deny write access
{53f56311-b6bf-11d0-94f2-00a0c91efb8b} Deny_Write
CD and DVD:
Deny read access
{53f56308-b6bf-11d0-94f2-00a0c91efb8b} Deny_Read
CD and DVD:
Deny write access
{53f56308-b6bf-11d0-94f2-00a0c91efb8b} Deny_Write
Removable Disks:
Deny read access
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Deny_Read
Removable Disks:
Deny write access
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Deny_Write
Tape Drives:
Deny read access
{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} Deny_Read
Tape Drives:
Deny write access
{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} Deny_Write
WPD Devices:
Deny read access
{6AC27878-A6FA-4155-BA85-F98F491D4F33}
{F33FDC04-D1AC-4E8E-9A30-19BBD4B108AE}
Deny_Read
WPD Devices:
Deny write access
{6AC27878-A6FA-4155-BA85-F98F491D4F33}
{F33FDC04-D1AC-4E8E-9A30-19BBD4B108AE}
Deny_Write

 

These changes will take effect as soon as the Group Policy of registry entries are on the computer.  There is no need to reboot if you run a GPUPATE /FORCE.

If a device is already connected, it will continue to work until it is removed and plugged back in, so you don’t need to worry about corrupting data being transferred when the policy comes into effect.

 


 

Published by
Ian Matthews

This website uses cookies.