How To Block USB Drive Write Access On Domain?

I am going to teach you how to block USB drive write access on domain because it is important to keep your data secure. If your data is spread over multiple devices then there are more chances of your data getting stolen. This article will help you if you want to build something that does not allows users to make changes to its contents.

Nowadays, every staff in a workplace owns or at least uses a USB storage device. However, its portability and its widespread adoption pose a security threat among users and computers.

For instance, when an employee unknowingly connects the USB to an infected device, it will result in a proliferation of malware to a company's network. Alternatively, it may be used surreptitiously to install an unauthorized application or sensitive information which may lead to security concerns.

Fortunately, Windows comes up with different remedies to block USB write access on the domain. In this article, we will teach you how you can configure group policy and registry to block USB drives.

Enabling USB Write Protection using the Registry

This process is a little risky for your computer, especially if not done correctly. For this reason, it is recommended that you back up your computer before proceeding.

1. Press Window Key + R so you will be directed to the Run command.
2. Type "regedit" then click OK.
3. Follow this path in your computer
   HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
4. Right-click the "Control" option, click "New," and press "Key."
5. Rename the new key with "StorageDevicePolicies," and hit the "Enter" button.
   
6. Right-click the new key then click "New" and choose the DWORD (32-bit) value option.
   
7. Rename DWORD (32-bit) value to DWORD WriteProtect and click Enter.
8. Double-click the new DWORD and change the "0" value data to 1.
9. Click "OK"
   
   
10. The procedure is finished. You can now close the registry.

Once you successfully set-up this procedure, anyone who will inject a USB drive into your device will be denied getting copy privileges, and a dialogue box "This disc is write-protected" will appear. As such, no one can create, rename, delete, or edit any files in your device's external storage.

Enabling USB Write Protection with the Group Policy

If you are a bit hesitant with the first method, and you are running Education, Enterprise, or Windows10, you can enable USB to write protection through group policy. Follow these simple steps to block USB drive write access domain:

1. Click again the windows key + R button to open the Run command.
2. Type in your keyboard "gpedit.msc" and then select "OK" so you can access the Group Policy Editor.
3. Follow this path in your computer
   Computer Configuration > Administrative Templates > System > Removable Storage Access
4. Double-click "Removable Disks: Deny Write Access" as shown on the screen.
   
5. Choose "Enabled" as shown on the top-left of your computer.
6. Select "Apply"
7. Click "OK"
   
   
8. You have already activated the policy editor. Close it safely.
9. Restart your device to complete the procedure.

As the first procedure, anyone who injects a USB Drive won’t be able to take any action on your computer. However, unlike using the Registry, a message will pop-up advising the user that administrator permission is needed to copy a file or folder. But even with administrator permission, no one can export any data from the USB drive.

The Bottom Line

USB drive restrictions play a crucial role in protecting the user and the organization. Any type of business and home users using Windows can utilize the Registry and Group Policy method to manage their removable storage devices, reduce malware infections, unauthorized application installation, data exfiltration, and the like. 

Whichever method you prefer, rest assured that your device is protected from any type of security threat. Moreover, although this article focuses on Windows 10, this concept is also applicable to Windows 7 and 8.

Summary: Block USB Drive Write Access on Domain

• This will create a new GPO in the same location as your other GPOs.
• Open the Group Policy Management Console (GPMC).
• Right click on Block USB Drive Write Access and choose Edit.
• Expand Computer Configuration, expand Policies, expand Administrative Templates and then select Removable Storage Access.
• Double-click the Allow direct access to all removable disk drives policy setting.
• In the dialog box that opens, select Disabled. Click Apply and OK to close the dialog box.
• Select Allow the following users to have write access to removable disks in the same location.
• Click Show…, Add..., Advanced..., Find Now and then select Authenticated Users, a group that includes both Domain and Local Admins.
• Finally click Apply, OK and then Close to complete this task.