Secure your company from unauthorized external devices by implementing strict access controls and regular audits.
Secure your company from unauthorized external devices by implementing strict access controls and regular audits.
The goal is to secure a Windows 10 system so that USB drives and external hard drives can only be used for authorized purposes. The concern is preventing malware from being injected when devices are connected, even if basic security tools like PowerShell or Command Prompt are disabled. You want to allow employees to bring their own drives for work but ensure they can’t accidentally expose the network to threats. The idea is to block unauthorized access while still supporting legitimate use. Simplify the process by focusing on a method that restricts drive access and scanning capabilities without overly limiting productivity.
Are we discussing a Microsoft domain-based company network or is this setup quite simple? It seems letting external media through at home for a corporate device isn't much different from connecting to the internal network. A hacked computer can still spread threats once it joins that network. I recommend disabling external media completely for the user group via domain policies. For those who must access external media—such as sysadmins—create separate accounts outside the restricted domain area.
This action is being performed through Windows Defender, and there’s a way to restrict removable devices using Group Policy. A quick search confirms the setting is found in Computer Configuration → Policies → Administrative Templates → System → Removable Storage Access.
That's a valid approach, though it doesn't fully match what the OP is aiming for. We're not requesting full disabling but rather limiting its use.
When you take action, the company must think about the worst possible outcome and prepare accordingly (data compromised, or your main servers and information are secured). Choosing convenience over security opens up a major issue. Before deciding on hardware or software fixes, focus on people, training, and policies. Ask why they’re taking such steps despite the dangers—weigh the advantages against the disadvantages.
Truly, for any organization regardless of size, this approach isn’t ideal. All external removable storage should be turned off. There’s no justification, particularly when handling sensitive NPI data—something nearly every business faces to some extent. Create an alternative method for moving work files that doesn’t rely on removable media. That’s the final takeaway.
You're correct, OP isn't feasible. Consider disabling the feature as suggested by @Skipple or using the USB settings via BIOS if available. This is the recommended approach.
YES! The staff on site pose the greatest threat regarding security. They’re unmotivated, stick to routines, and rarely notice their surroundings. Turn off the USB ports and shut them down physically. Recreate the setup from the 80s—dumb terminals, locked servers, secured goods—and give everyone a tablet for access. The IT personnel or team members are the sole authorized people in the secure room and can control everything from there.