USB Controls
Note: We do not currently support the enforcement of a USB device policy in the SenseOn platform. This does not affect our ability to detect malware or suspicious activity from USB devices. The restriction of USB removable media is a simple task using Active Directory and this guide can help you configure it.
Configuring USB Controls Using Active Directory (AD) Group Policy Objects (GPO)
This guide provides step-by-step instructions on how to configure USB controls using Group Policy in Active Directory.
Prerequisites
Before proceeding, ensure you have the following:
- Administrative privileges on the domain controller.
- Access to the Group Policy Management Console (GPMC).
Step 1: Open Group Policy Management
- Log in to your domain controller.
- Open Group Policy Management by typing
gpmc.msc
in the Run dialog (Win + R) and pressing Enter.
Step 2: Create a New Group Policy Object (GPO)
- In the Group Policy Management window, navigate to the organizational unit (OU) where you want to apply the policy.
- Right-click on the Organisational Unit (OU) and select Create a GPO in this domain, and Link it here….
- Name the new Group Policy Object (GPO), for example,
USB Control Policy
, and click OK.
Step 3: Edit the GPO
- Right-click the newly created GPO and select Edit.
- The Group Policy Management Editor will open.
Step 4: Configure USB Device Restrictions
Option 1: Disable All Removable Storage Devices
To prevent USB storage devices from being used entirely:
- Navigate to Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access.
- In the right pane, find and double-click All Removable Storage classes: Deny all access.
- Set the policy to Enabled and click OK.
Option 2: Disable specific read/write/execute functions for USB devices.
To specifically disable read/write/execute functionality for USB devices:
- Navigate to Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access.
- In the right pane, find and double-click Removable Disks: Deny (read/write/execute) depending on the desired function to restrict.
- Set the policy to Enabled and click OK.
Step 5: Apply the GPO
- Close the Group Policy Management Editor.
- Ensure that the new GPO is linked to the correct OU.
- To apply the policy immediately, you can run the following command on target machines:
gpupdate /force
Step 6: Verify the Policy
- Log in to a machine within the OU where the policy was applied.
- Use the
gpresult /r
command to verify that the policy is applied on the target machine. - Check the functionality of USB devices to ensure the policy is working as expected.
Troubleshooting
- Ensure that the GPO is correctly linked to the OU containing the target computers.
- Check for any conflicting policies that might override the USB control settings.