Controlling User Access to Removable Storage Devices - 26 Apr 2007

Q: We want to control our users’ ability to use removable devices, such as USB flash drives, to prevent unauthorized software or malware from being introduced into our network and to keep users from removing information from our network. How can we control access to removable devices?

A: You’ll be happy to know that Windows Vista includes new features that let you limit read and/or write access to removable storage devices (e.g., USB flash drives, floppy disks, CD-ROMs, DVDs) centrally via Group Policy. You can find policies for controlling removable devices by running gpedit.msc and loading the local computer's GPO. The policies for controlling access to removable storage devices are located under Computer ConfigurationAdministrative TemplatesSystemRemovable Storage Access.

You can control access to removable devices by either preventing the installation of all such devices or by granularly disabling and enabling devices by their ID, which requires that you discover the ID for each device you want to control. You can look up an installed device’s ID by opening its properties in the Device Manager Control Panel applet. You need to be careful when modifying the Removable Storage Access area of Group Policy because it's easy to accidentally disable access to devices that users really need.

If you aren't using Vista yet, you can use one of the many products designed to control access to these drives. To read about some of them, see the following Windows IT Pro articles: "Client Device Managers" (December 2006, InstantDoc ID 93926), "DeviceShield" (November 2006, InstantDoc ID 93382), and "SecureWave Safeguards Portable Storage Devices" (August 2005, InstantDoc ID 47441).