Lock Down USB Devices on Your Windows 2012 R2 Domain

Security

 

It’s certainly no surprise with the proliferation of portable devices such as USB flash drives, USB hard drives, mobile phones and even cameras that extra care must now be taken to prevent data theft.  This article describes how to lock down USB devices on your Windows 2012 R2 domain to prevent installation of virus/trojan software and copying of data.

 

Operating Systems

We tested with the operating systems outlined below. If you’re reading this you will likely be able to install these on your own.

Windows Server 2012 R2 – This document was tested with Windows Server 2012 R2 installed as a domain controller.

Windows Vista, Windows 7 and Windows 8.1 – We used only Windows Vista, Windows 7 and Windows 8.1 on the client machines for testing for reasons that you’ll see in the screenshots below.

 

Windows 2012 R2 Group Policies

The first step is to modify the domain’s group policies. Log on to a domain controller as a domain administrator equivalent account. Click on the Windows icon in the lower left corner and the Server Manager. Once the Manager is open, click on Tools on the upper right hand side and then Group Policy Management.

Opening Group Policy

 

Drill down through the group policy management pane until you reach the Default Domain Policy. Right-click on it and select Edit.

Editing Domain Policy

 

Drill down through the policy settings on the left to Computer Configuration/Policies/Administrative Templates/System/Device Installation/Device Installation Restrictions. In the right pane double click on the “Prevent Installation of Removable Devices” line.

Locating Specific Policy Setting

 

In the next box, click the Enabled radio button and click OK. As you can see in the image below, this modification will only work with Windows Vista or newer. If you’re still running legacy XP PCs there are third party utilities that will enable you to do this.

Preventing Device Installation

 

Results – Windows 7

Once the policy takes effect you will get an “Device installation was prevented by policy” error in Windows 7 when a USB drive is inserted into the target machine as shown below.

Device Installation Error

 

When you click on the balloon error you get get a standard dialog box also reading “Device installation was prevented by policy” in the center of the screen.

Device Installation Error 2

 

Results – Windows 8.1

Windows 8.1 behaves slightly differently. The drivers will silently to fail to install but if you go to device manager you can see the non-installed device:

Windows 8.1 Device Manager

 

If you right-click on Mass Storage in Device Manager and select Update Driver Software, it will locate the driver and refuse to install the software so the USB is successfully blocked:

Windows 8.1 Error

 

 

Microsoft provides an excellent feature inside the Group Policy Management tool call Group Policy Results Wizard (this used to be called theResultant Set of Policy, or “RSoP” tool in earlier versions of Windows.)  It generates reports that show you exactly how policies are applied to specific users or computers. We recommend using this to see exactly how your policies are applied to the various OUs (both Computers and Users) to verify compliance.

 

By |2014-11-01|Security|