Stop executables from usb storage

Removable media (usb storage devices) is a headache for IT staff If you are managing many computers in a domain. Usually users plug same usb device for many computers.

Eg: to home PC, personal laptops, friend's & colleague's computers & etc...

even if your corporate network is protected from antivirus software, still those devices can infect from outside. to get rid of this hassle many organizations completely block removable media devices for corporate networks while those are required for some day today works (flexibility)

here I show you a small method which prevents executing every executables from usb storage.
we use group policy to deploy this to all computers. its very simple, we specify some drive letters & all the executable content within any folder structure will be prevented from running.

usually in any microsoft windows system C drive is for OS, D is for optical drive & e, f for next hard drive partitions.
usually issuing drive letters for usb starting from next available free letter.
we block letters from "G" like G: H: I: J: K:

create a group policy object & link it to necessary computers OU or to all computers in the domain.
simply create a path rule in following location in computer configuration node.


reboot client PC & you can see that all the executables are blocked, but still you can play music & videos, open documents & other stuff in the external storage devices. we should not include or specifiy any file extenssions here & just imagine all the executables word.

But still user can copy files to the computer & try to run.

Please feel free to put a comment if this was useful to you
Should you think that you need further assistance from me, please use contact us form

Comments

Post a Comment

Popular posts from this blog

WSUS Client is not downloading updates

Image
Fix for windows clients are searching for updates forever.  According to my investigation, most of times this issue begins after installing  KB2919355 update  & this is affected for wsus clients & both direct download updates from Microsoft web site. This is not an issue with wsus server. once we click on check for updates in control panel windows update, we can see it is searching for updates forever & nothing other than. Checking for updates forever If you are using wsus server to deploy updates to client computers, you can see following errors in the wsus console. This computer has not reported status yet This computer has not reported status in xxx or more days. Solution steps Restart windows update service Download & install following windows update from Microsoft web site  KB3102812 . After reboot client computer stop Windows Update Service & Windows Modules Installer service. delete C:\Windows\SoftwareDistribution root folder. (you cann
Read more

Get email alerts when hard drive develops bad sectors

Image
If you are managing over 100 computers network, this will be a cool idea to make your life easier. we know well, once a hard drive makes failure, how we struggle to get data back. but how it is cool if we can acknowledge it before hard drive failure.  according to my experience hard drives not fail suddenly & before it get in to series, for many days & weeks it writes to event viewer that it is failing. usually we cannot read every machine's event log for hard drive failures. this is the reason we miss this important message. If you manage a windows domain network, using GPO we can configure to receive email notifications when drive errors occur. I am going to show you an amazing way to do this trick. you may apply for this for another goal also. If you use this successfully, you may feel what a wonderful trick is this because there is no time waste in your Sys Admin life. We use Group policy to do this Brief of tasks we are going to do. we use small query to fi
Read more