Wednesday, October 04, 2006

USB Drive Access Control Part 2

So I'm still looking at options for controlling access to USB devices and other forms of removable media.  As you can see in this article, I have a list of potential applications to help me with that.  In the mean time, I discovered a way to help me mitigate the problem.

Some users in my company will require the use of USB flash drives or hard drives, and for that, we need to purchase some software tools to be able to restrict access by user and by device model.  Other users, however, have no use for USB storage devices at all.

The "old school" method of restricting access to USB was to disable the USB ports in the BIOS.  This was highly effective, and if the BIOS was password protected, the user couldn't find a workaround to give them access. 

There were only 3 problems with this method.  First, in theory, a knowledgeable individual could just install a USB card in an available PCI slot.  While this is unlikely considering my user base, it is still a potential risk.  Second, many newer systems, such as Dell's Optiplex GX280, have done away with PS/2 ports for the mouse and keyboard, relying instead on USB.  If you disable all the USB ports, there go your input devices.  Third, it requires a visit to each PC, since I haven't found a way to script BIOS changes yet.

So here's the new and improved method, courtesy of Windows XP SP2:
1. Start the registry editor (regedit.exe).
2. Go to
3. From the Edit
menu, select New, Key, and type
StorageDevicePolicies. If this key already
exists, then skip to
the next step.
4. Highlight the newly created key
"StorageDevicePolicies" and
from the Edit menu select New, DWORD Value, type
WriteProtect and
press Enter.
5. Double-click WriteProtect and enter 1 for
Value data. The value
1 makes all the USB drives read-only; a value of 0 will
make them
6. Close the registry editor and restart the

I also found way to do this via GPO, here.

Technorati Tags: , ,


Post a Comment

Links to this post:

Create a Link

<< Home