Go to the Delegation tab and click the Advanced.Add the Domain Admins group in the Security Filtering section.Select your Disable USB Access policy in the Group Policy Management console.For example, you want to prevent the USB blocking policy from being applied to the Domain Admins group You can use the GPO Security Filtering to make an exception in a policy.
To enable this policy, open its properties and change from Not Configured to Enabled.Īfter enabling and updating the GPO settings on client computers ( gpupdate /force), the Windows will detect the connected external devices (not only USB devices, but also any external drives), but when trying to open them, an error will appear: Location is not availableĭrive is not accessible. You can implement the “strongest” restrict policy All Removable Storage Classes: Deny All Access to completely disable the access to all types of external storage devices.
Spark! Pro series – 12th August 2022 Spiceworks Originals.
This removes the need for a third party agent and users will just think it's AV software preventing viruses. One example being Symantec Endpoint Protection although this is primarily an AV product it does allow device control and it is a simple case of turning on a pre-written policy to log files written to usb devices. Saying that though depending on your AV solution you may be able to configure that to do some monitoring / recording of files. Websense: Part of the Triton range of products is the Data Protection service this again is a very powerfull tool that not only monitors USB but can monitor what is being printed and mailed out using cloud based mail services like Google mail again key word detection is this products main feature. If you decide to put policy's in place to control specific devices and key word flagging it can get a bit complicated but can become a very powerful tool.
McAfee DLP: Initially quite easy to setup for just monitoring. Some of the best Data Loss Prevention software I have have used include: So this may not be the totally stealthy option you are looking for. Most DLP products require some sort of agent on the Endpoint to monitor the USB transactions.