Locking down Removable Storage(USB/Flash Drives) but creating excemption for DVD/CD Drive

Deborah Canales
Deborah Canales used Ask the Experts™
on
Title pretty much says what I am needing help with.  We are wanting to lock down USB/Flash Drive access on our domain, but we noticed the cd/dvd drives on users computers are listed under Removable Storage so these get locked down as well.  Is there any way to create exemption for these drives?  I saw some articles on finding the hardware id on the cd/dvd drives but where would I list these in the group policy?

Thanks for any assistance on this.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Director of IT/TS, Quality and Finance
Commented:
On your AD server, open Group Policy Management, Edit Default DC Policy.
Policies - Administrative Templates - System - Removable Storage Access
GP-Mgt-Editor.jpg
GP-Settings.jpg
Deborah CanalesSystems Administrator

Author

Commented:
Hi Lee,

Thanks for the assistance.  However I don't want to disable CD/DVD drives, just USB flash drives.  However when I enabled GP settings for removable disks, it locked down the cd/dvd drive as well.
Deborah CanalesSystems Administrator

Author

Commented:
Hi Lee,

I reread your last comment and I believe I misunderstood the instructions. Sorry about  that.   Let me try this and I will let you know.

Thanks!
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Deborah CanalesSystems Administrator

Author

Commented:
Perfect. It worked.  Thanks! Consider this closed.
Lee IngallsDirector of IT/TS, Quality and Finance

Commented:
My pleasure Deborah. Enjoy the weekend!

Regards, Lee
Distinguished Expert 2018

Commented:
Depending on what you are trying to protect against, the solution is not complete, yet. If an attacker would connect a usb device that could mimic a keyboard, it would not be stopped by this GPO. The attack I am talking about is usualy referred to as "usb rubberducky". Find more info and a solution here: http://www.experts-exchange.com/articles/18574/Bad-USB-time-to-fight-back.html

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial