Locking down Removable Storage Access using Group Policy and Security Groups

Group policy has setting to lock down removable storage access domain wide. If done properly it can be easily managed and users may have several different levels of access.

     1. The first thing you need to decide is how many different levels of access do you want to have

There  are several settings that can be applied and you could create a level of access for each setting but that all will depend on your domain.

The Settings are located under the following GP under both user and computer configuration Use user configuration for this how to

Admin templates > System> Removable storage access

      2. step two is to create security Groups for each of the levels of access you want and add the users

In my case I Created the following:

                Removable storage access All

                Removable storage access Read all

                Removable storage access CD/DVD

                Removable storage access Removable disk

                Removable storage access Floppy

*note you can create a read and write for each if you have the need to break it out that far

 

     3. Step three create polices. You want to create policies that match the name of your security groups this helps keep everything organized.  Remember you want to set the settings to disabled because we are disabling a deny

 

     4. Step 4 Change the scope of the policies: Remove Authenticated Users and Add the corresponding security Group to the policy

 

     5.  Apply the policies

• 1. Right click and set the polices to enforced. You are setting these policies to enforced because we want it to overwrite another policy that is denying
  2. If you are applying this control domain wide you will apply these policies at the top of the domain, remember OUS do not matter we are using scope and security groups to better control this.
  3. access but only to the users in the scope of the policy
  4. Setting the initial Deny of access
     • You want to apply this at the top level as well I used my default policy but you can create a policy specifically for this if you please
     • Create a policy or modify your default domain policy. DO NOT enforce this policy                          

 In this policy set all the setting to enabled EXCEPT the two that begin with “All removable storage:” if you are not breaking your setting out further and users either have all access or none you can create one policy that enables access and then set this policy to deny

     6.  Add user to the security Groups as you want them to have access.

 

Additional Notes IMORTANT

                IF you have a policy that gives access to all removable storage DO NOT use the all removable storage access. ONLY use this setting if you are not breaking your access out any further than an all or no access set up. You will want to allow access to all the storage setting in this policy the all access will not work.

 

Remember Enabling these policies denies access so disabling them allows access