Controlling the Use of Removable Devices and Media

Applies To: Windows Server 2008

Many consider the use of removable devices or devices that use removable media as a significant security threat. Even if your network is locked down to the point of disconnecting it from the Internet, that doesn't prevent someone from copying sensitive data onto a floppy disk or CD-ROM, or to a USB memory drive on their keyring, and walking out the door with it.

The Group Policy settings described in this section allow you to prevent unwanted access to a variety of device types, or to prevent access of any kind to devices that are removable or that use media that is classified as removable. The settings can be applied to the computer (affecting all users of that computer), or they can be applied to a user or group.

These settings are enforced immediately when the setting is applied to the computer or to the user or group. In the event that a device is in use, Windows might not be able to immediately enforce the restrictions. They will be enforced the next time the computer is restarted. If you do not want to wait for the user to restart the computer, you can force it by using a setting for this purpose.

For more information about Group Policy in an Active Directory Domain Services environment, see Group Policy at https://go.microsoft.com/fwlink/?LinkId=55625.

Task requirements

• Group Policy Management Editor, included with Windows.

To complete this task, you can perform the following procedures:

• Control Read or Write Access to Removable Devices or Media

• Deny All Access to Removable Devices or Media

• Allow Device Level Access to Remotely Logged On Users

• Force a Restart to Ensure Removable Storage Access Policy is Enforced