A company's security policy requires that all USB storage devices be blocked on company workstations to prevent data exfiltration. A manager needs to temporarily use a USB drive for a presentation. What is the best way to remediate this while maintaining security?
Trap 1: Disable the USB blocking Group Policy for the entire domain
Disabling the policy for the whole domain exposes all workstations to risk, not just the manager's.
Trap 2: Give the manager a company-approved USB drive and tell them to use…
Without changing the block policy, the drive will still be blocked; instructions alone do not remediate the technical restriction.
Trap 3: Create a local admin account on the manager's workstation and…
Local changes can be overridden by Group Policy and create a security gap; it is better to manage via policy.
- A
Disable the USB blocking Group Policy for the entire domain
Why wrong: Disabling the policy for the whole domain exposes all workstations to risk, not just the manager's.
- B
Use a Group Policy to allow only the specific USB device by hardware ID, then remove the allowance after use
This maintains security by only allowing a known device, and you can revert the policy afterward.
- C
Give the manager a company-approved USB drive and tell them to use it only once
Why wrong: Without changing the block policy, the drive will still be blocked; instructions alone do not remediate the technical restriction.
- D
Create a local admin account on the manager's workstation and disable the USB block locally
Why wrong: Local changes can be overridden by Group Policy and create a security gap; it is better to manage via policy.