Tech Support Forum banner
Status
Not open for further replies.

Restict Certain USB Removable Storage Devices

7K views 10 replies 4 participants last post by  Smael123 
#1 ·
I would like to restrict certain USB removable storage devices from an un-networked Windows XP Professional SP3 desktop. This is the sort of system where a virus or other malware would be very inconvenient.

I would like to allow certain USB hard drives to have read-write-whatever privileges, all other USB removable storage devices to get no privileges, and all other devices to be unaffected. I would like this to be applied to all three accounts (Administrator, Normal, and ASP).

The problem is, the hard drives will have to be replaced from time to time in order to minimise "spontaneous" failure. This means that the solution provided by Microsoft will not be ideal.

I can't use the "Administrator Only" functions because the owner shares the Administrator password with all of his employees. I have explained to him time and time again why this is a Very Bad Idea, and I don't know why I bothered.

If anyone has any ideas, they will be considered.
 
#2 ·
I went through something similar a few months ago trying to combat company espionage. The best I could do was prevent ALL USB storage or nothing. This was on a Win7 machine which has some built in policies for this. For Win XP I couldn't find one. All I have in my notes for XP is a registry key to disable USB storage devices globally. I'd be interested in hearing other ideas as well.
 
#3 ·
I found this link, but not sure if it's really any different to what Fred is coming up with. Pretty sure it's the same as disabling them.
I was trying to figure out a way earlier today when I read your question to see if I could manually change the drive letter of the USB (say to Y) and restrict certain rights to the Y:\ Drive. Still trying to figure out how though. That way certain USB's would be allowed and you could then disable access to all others?
 
#4 ·
Yes, the instructions in that link are essentially what I was referring to. It's not too big a deal if an Admin has to go in and change the reg value from 4 to 3 to use a USB drive occasionally, but that was the best I could do. I think some of those instructions also rely on a domain using AD to control permissions.
 
#6 ·
I suppose it'll have to do. I could always write a batch file
That's a good idea, or at least a .Reg file to run. It makes me think of something like a start up script and a log off script set for a specific admin user. Though I don't remember if a reboot is required for the registry change to take effect. If you do find anything else useful, please post back.
 
#7 ·
A reboot is not required, only the USB drive must be power cycled.

I think a .reg file would be better, it is more . . . intimidating. The employees are about as tech savvy as a monkey, they wouldn't touch a file that Windows said not to.

Now I just need to read up on .reg files.
 
#9 ·
I think that would be a little too complex, I'm working with someone who thinks computers can get viruses through the air. However, I can probably make this part of the entire backup prog that I will probably have to hack together once I get the rest of the programs installed.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top