Group Policy: which is better to disable USB storage devices or USB disk software than to disable USB storage tools

Time:2022-1-14

Many companies are in the need of computer file security and trade secret protection. They often need to prohibit employees from inserting their computers into USB flash disk at will to prevent copying computer files through USB flash disk. At the same time, the storage space of USB flash disk, mobile hard disk and even mobile phone is becoming larger and larger, which can easily copy a large number of files on the computer, and the labor achievements, trade secrets and other information formed by employees during working hours are often stored on their own computers, which makes the security of important documents and intangible assets of enterprises face great risks. To this end, many units need to disable the use of USB storage devices. However, due to the universal use of non USB storage devices such as USB mouse and keyboard, online banking U shield and dongle, it is not possible to prohibit the use of u port and completely disable USB port through BIOS. Therefore, we need to treat USB devices differently and disable the USB interface instead of the use of non USB storage devices. How to achieve it? There are two ways:

Method 1: disable USB flash disk through group policy and USB storage device through group policy to prevent copying computer files through USB storage device.

Software name:
usb. ADM download (control and user’s use of USB, optical drive, etc.)
Software size:
3KB
Update time:
2015-11-24Download now

The detailed operations are as follows:
1. Create a GPO group policy in the Ou in the DC
2. Add to group policy – computer configuration – management template,

3. Note that in “view” —- filter “, remove the check mark in front of” only display policy settings that can be fully managed “

 

4. Right click Manage template – click add delete template – add USB ADM template file – click close to enter custom policy settings in the window, and you can see the of the device. Right click the device you want to set, such as disable USB. The properties dialog box appears. Click enabled, select enabled in disable USB ports, and then restart the computer. You will find that the USB interface is unavailable. To restore, disable or disable. Other devices do the same

In order to make it easier for everyone to read, the picture has been updated again
The correct method is to select “disabled” or “enabled” in the drive to be set
Example 1: disable floppy drive;
“Disabled floppy” – > select disabled floppy drive as “enabled”.
Example 2: enable floppy drive
“Disabled floppy” – > select disabled floppy drive as “disabled”

So far, we have disabled the use of USB storage devices through group policy. However, it is realized through the relevant settings of the operating system. Therefore, some tech savvy employees can easily re enable the USB flash disk by reverse modification, which makes the USB flash disk disabled through group policy face large vulnerabilities, which is easy to be bypassed and re enabled by some tech savvy employees. In this case, we can consider the second method.

Method 2. Disable the USB storage device through special USB port disable software and shielding USB disk software.

At present, there are special software to disable USB storage devices in China, which will not affect the use of non USB storage devices. For example, there is a “general trend to USB control system” (download address:http://www.grabsun.com/monitorusb.html), only after the computer is installed, the use of USB storage devices can be disabled automatically and in real time without affecting the use of non USB storage devices. At the same time, you can only use specific USB storage devices, so that the U disk licensed by the company can be used; You can only copy files from the USB flash drive to the computer and prohibit copying files from the computer to the USB flash drive, or you must enter a password to copy, so as to further accurately control the use of USB storage devices. As shown in the figure below:


Figure: disable USB flash disk, mobile hard disk and other USB storage devices

At the same time, through the “general trend to disable USB interface software”, you can also prohibit the computer from sending email attachments, uploading computer files on the network disk, uploading forum attachments and sending files on QQ, so as to comprehensively protect the security of computer files and prevent the disclosure of secrets through the network.

In addition, disabling the software through the general trend to the USB interface can also prohibit the computer from opening the registry, opening the device manager, modifying the boot entry, opening the computer management, starting the computer from the USB disk, starting the computer from the CD, and pressing F8 to enter the operating system security mode, This prevents some skilled employees from trying to modify the computer configuration and re enable the USB flash disk, and comprehensively and thoroughly protects the security of computer files and the security of the operating system.

In short, whether the use of USB flash disk is prohibited through the group policy of the operating system, or the use of USB flash disk and shielding USB storage devices through third-party software, it can play a certain role, but it is relatively easier to prohibit the use of USB port through software, and can also prevent the disclosure of computer confidential files through the network, And through the restriction of the key position of the operating system, it also protects the security of the computer itself, so as to achieve the purpose of more strict protection of the security of computer files.