Group policy disable USB flash disk and win7 group policy shield USB storage device to prevent data disclosure

Time:2021-12-31

At present, USB flash disk and mobile hard disk are widely used in the company’s LAN. At the same time, the storage space of USB flash disk is getting larger and larger, and the reading and writing speed is getting faster and faster. It is easy to copy a large number of computer files through USB flash disk. Now, in the LAN of enterprises and institutions, important computer files and trade secret information such as labor achievements and intangible assets formed by employees at work are stored on the computer, which makes it easy to copy them through USB flash disk and mobile hard disk, thus bringing great risks to the enterprise’s information security and trade secret protection. Therefore, we need to prohibit the use of USB flash disk and disable USB storage devices. So, how to effectively shield the use of USB flash disk and USB storage device? There are two methods: one is to prohibit the use of USB flash disk through group policy, and the other is to shield USB port software and prohibit the use of software.

Method 1: disable USB flash disk through win7 group policy and shield USB storage device through group policy

Click start, run, and enter the group policy command gpedit MSc, open the Group Policy Editor, find the local group policy editor, select computer configuration – management template – System – device installation – device installation restrictions, and set on the right: prohibit the installation of removable devices, as shown in the figure:

  

Double click the above “prohibit the installation of removable devices”, and then select enabled in the configuration to prohibit the use of USB flash disk and mobile hard disk under win7.

Another method is to prohibit the use of USB flash disk and disable USB storage device through the registry. The details are as follows:

1. Run regedit

2. Expand HKEY_ LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

3. Right click start and change its value to 4 to disable the USB flash disk. To cancel the disable, just change 4 back to 3
    
However, whether the use of USB flash disk is prohibited through group policy or registry, it is realized by means of the configuration of the operating system itself. Therefore, it is easy for some technical employees to re enable the USB flash disk and re-use the USB storage device through reverse modification, which makes the above methods have some shortcomings and defects. In this case, you can consider deploying special software to disable the use of USB flash disk.

Method 2. Shield the USB storage device through special software that restricts the use of USB flash disk and prohibits the copying of USB flash disk

At present, there are some special computer USB shielding software and computer U-disk disabling software in China. After installation on the computer, the USB device inserted into the computer can be monitored in real time. If it is USB storage device such as U-disk and mobile hard disk, it can be directly prohibited; If it is a non USB storage device such as USB mouse, keyboard and dongle, it will not be prohibited, so as to achieve the purpose of accurately controlling the use of USB devices.

At present, there are many such USB port disabling software on the market. For example, there is a “general trend to USB interface disable software” (download address:http://www.grabsun.com/monitorusb.html), you can completely block the use of USB storage devices only after the computer is installed, and completely prevent the copying of files from the computer to USB storage devices such as USB flash disk and mobile hard disk. At the same time, it can also prohibit email attachment sending, online disk uploading files, QQ sending files and forum attachment uploading, so as to prevent the leakage of computer files through the network. As shown in the figure below:

 

Figure: the computer prohibits USB flash disk from using software

In addition, the general trend is that the USB port disabling software can also prohibit the modification of the registry and group policy in real time, so as to prevent employees from trying to modify the key location of the operating system to re enable the USB flash disk and mobile hard disk.

In short, the purpose of shielding USB storage devices can be achieved either through the registry of the operating system, group policy or disabling software through a special USB port. Compared with the setting of the operating system, disabling software through a special USB disk is relatively more direct and effective. Enterprises and institutions can choose which method to adopt according to their needs.