Controlling Access to USB Storage DevicesPresent day computers come with all sort of fancy storage accessories. As these devices bring lot of flexibility for ordinary users, at the same time, this makes it almost impossible to enforce any kind of access policy on modern day machines.
Considering the vulnerabilities presented by these storage devices, most system administrator looks to remove CD writers or a DVD burner from their enterprise network PCs. However, presence of open USB ports on enterprise network PCs present much graver danger. Instances are often reported, where office workers have just plugged their USB Drive or external USB Hard Disk or even there portable music player in to office PC and transferred important company data and copies of copy right protected software to their removable storages. Still more alarming are the instances where, an unhappy company employee have used open USB ports for delivering viruses, Trojans, spy ware or other malicious code into the enterprise network. To deal with threat posed by these USB ports on a company network, system administrators can adopt various approaches and mechanism ranging from very basic to complex. An elementary but not so smart approach adopted by some system administrators is to fix tapes over the USB ports to prevent employees from inserting any USB device into their computer. Another approach could be to disable USB drive by changing the BIOS settings and then lock the BIOS using passwords. But problem with first two approaches is that USB ports on staff computers are rendered completely unusable even for necessary peripherals like USB keyboards and mouse etc. A better approach with Windows XP SP2 may be barring only write access to USB ports so that data files cannot be copied to USB storage devices, thus just allowing a read-only access. This requires a simple tweak in your windows registry. To do this: - Use the Windows Registry Editor ( System > Run > regedit ) and open the following key:
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies
- Add a new REG_DWORD, namely WriteProtect and put the value as 0 to disable write access to the USB port.
- To undo the same when needed, either delete the WriteProtect REG_DWORD or make its value to 1 which will enable write access to the USB port.
Yet a more secure and recommended approach could be to completely deny connection of USB storage devices on to the staff computers. To do this: - Use the Windows Registry Editor (System > Run > regedit) and open the following key:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\UsbStor
- Double-click on Start, and assign 4 to the Value data box (Hexadecimal).
- To enable the USB storage devices, assign 3 to the Value data box (Hexadecimal).
However, if your enterprise network computers have Windows Vista, you have a way to control which hardware devices can be installed and which can’t. Using Group Policy in Windows Vista and the next version of Windows Server we can selectively allow specific USB peripherals like mouse and disallow USB flash disks or similarly allow CD-ROM readers, but restrict DVD-writers. |
