Removing privileges and access to users in Windows 10

Question

I am new to system administration so please bear with me. I have a Lenovo laptop running Windows 10. There is highly sensitive information (media files) on the machine that I need another user to edit. However, I need to :-

a. Disable all external storage (USB, DVD etc. ) but still let the user use USB mice and other input devices.

b. Deny all network access (both LAN and Internet)

c. Disallow the user to meddle with these security settings.

1. How do I accomplish the above on Windows 10?

2. Is there any other security measure I need to take such as encryption? Bitlocker is not an option due to the configuration of my Windows 10 implementation. Will encrypting the hard drive (using say VeraCrypt) ensure safety of my data even if it is somehow stolen?

3. Should I change any BOOT/BIOS settings to ensure I have the necessary "air-gapping" effect for the particular user?

EDIT: I am unable to install gpedit.msc using instructions available on this site Windows Starter Edition, Home and Home Premium do not include gpedit, how do I install it?

So, is editing the registry my option?

Answer 1

We are always glad to help, but you actually have several somewhat related questions combined. It may be prudent to ask different questions accordingly, rather that something quite so broad in scope.

In the interim, I can definitely help you with one of them: is this a Windows 10 Professional (or Enterprise) machine? If so, you can utilize the Local Group Policy editor to disable external storage media. Search for gpedit.msc with elevated privileges and navigate to the following:

Computer Configuration\Administrative Templates\System\Removable Storage Access

Within there you will see several settings you can potentially enable that are related to disabling removable storage access. If you want to implement it for all of them, enable the following:

All Removable Storage classes: Deny all access

Once enabled, the USB and DVD external storage access will be disabled, but the user will still be able to use a USB mouse and keyboard. If they aren't an administrator, they won't be able to change those settings.

If it is Windows 10 Home, you should be able to achieve the same results by modifying the registry:

1. Search for regedit with elevated privileges and navigate to the following:

   HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices
   

2. NOTE: If RemovableStorageDevices is not there in the left pane, then right-click on Windows and click on New and Key. Type RemovableStorageDevices and press Enter.

3. In the right pane of RemovableStorageDevices, right click on a empty area and click on New and DWORD (32-bit) Value and type Deny_All and press Enter.

4. Right click on Deny_All and click on Modify.

5. Type 1 and click on the OK button.

   

6. Close regedit accordingly.

(Source)