How Do I prevent users from accessing USB Storage devices using a SCSP prevention policy
This article will describe how to block access to removable devices is by addressing the \device\* as seen by the OS. Here are some examples of removable devices.
As an example, here are mappings from a system that has two floppy drives, one hard disk with two partitions, a CDROM, an external USB hard drive and an USB pen drive/thumb drive
A: -> \Device\Floppy0 (internal floppy drive) B: -> \Device\Floppy1 (external USB floppy drive) C: -> \Device\HarddiskVolume1 (a partition on an internal hard drive) D: -> \Device\HarddiskVolume2 (a partition on an internal hard drive) E: -> \Device\CdRom0 (an internal CD/DVD drive) F: -> \Device\HarddiskVolume3 (an external USB hard drive, not a thumb drive) G: -> \Device\Harddisk2\DP(1)0-0+10 (a USB thumb drive)
The way to get the Prevention policy to monitor and disallow access to removable drives at all times is to enter the underlying device names into the policy, rather than the drive letters. That way, it doesn't matter if the system can map the drive letters at the time the policy is applied. Note – when plugging in a USB device, drive letters will appear in the windows GUI but you can’t access them.
As you can see from the above list, there isn't a way to distinguish between an internal hard drive (volumes 1 & 2) and an external (USB) hard drive (volume 3) simply by the underlying device name. If there were 3 partitions on an internal drive, then the external drive would have become volume 4.
If you want to perform this monitoring on a large number of systems, you need to know whether the enterprise has a consistent hardware configuration, with respect to internal hard drive partitions, on the workstations (or a small number of configurations and the exact knowledge of which agents have which configurations). This affects the specific underlying device names you put into the policy. You might end up with several policies to address several different hardware configurations. Before applying any policy to any machine I would recommend to disable prevention first and see what kind of events are being shown.
Here is a policy “changes from base” screenshot showing the configuration for a single internal hard disk/partition – all other removable devices are locked down (except for the (read only) device CDROM).