Tech Support Forum banner
Status
Not open for further replies.
1 - 11 of 11 Posts

·
TSF Team, Emeritus
Joined
·
2,367 Posts
Discussion Starter · #1 ·
I would like to restrict certain USB removable storage devices from an un-networked Windows XP Professional SP3 desktop. This is the sort of system where a virus or other malware would be very inconvenient.

I would like to allow certain USB hard drives to have read-write-whatever privileges, all other USB removable storage devices to get no privileges, and all other devices to be unaffected. I would like this to be applied to all three accounts (Administrator, Normal, and ASP).

The problem is, the hard drives will have to be replaced from time to time in order to minimise "spontaneous" failure. This means that the solution provided by Microsoft will not be ideal.

I can't use the "Administrator Only" functions because the owner shares the Administrator password with all of his employees. I have explained to him time and time again why this is a Very Bad Idea, and I don't know why I bothered.

If anyone has any ideas, they will be considered.
 

·
Team Manager - Networking , Moderator - Micros
Joined
·
4,376 Posts
I went through something similar a few months ago trying to combat company espionage. The best I could do was prevent ALL USB storage or nothing. This was on a Win7 machine which has some built in policies for this. For Win XP I couldn't find one. All I have in my notes for XP is a registry key to disable USB storage devices globally. I'd be interested in hearing other ideas as well.
 

·
Registered
Joined
·
1,553 Posts
I found this link, but not sure if it's really any different to what Fred is coming up with. Pretty sure it's the same as disabling them.
I was trying to figure out a way earlier today when I read your question to see if I could manually change the drive letter of the USB (say to Y) and restrict certain rights to the Y:\ Drive. Still trying to figure out how though. That way certain USB's would be allowed and you could then disable access to all others?
 

·
Team Manager - Networking , Moderator - Micros
Joined
·
4,376 Posts
Yes, the instructions in that link are essentially what I was referring to. It's not too big a deal if an Admin has to go in and change the reg value from 4 to 3 to use a USB drive occasionally, but that was the best I could do. I think some of those instructions also rely on a domain using AD to control permissions.
 

·
Team Manager - Networking , Moderator - Micros
Joined
·
4,376 Posts
I suppose it'll have to do. I could always write a batch file
That's a good idea, or at least a .Reg file to run. It makes me think of something like a start up script and a log off script set for a specific admin user. Though I don't remember if a reboot is required for the registry change to take effect. If you do find anything else useful, please post back.
 

·
TSF Team, Emeritus
Joined
·
2,367 Posts
Discussion Starter · #7 ·
A reboot is not required, only the USB drive must be power cycled.

I think a .reg file would be better, it is more . . . intimidating. The employees are about as tech savvy as a monkey, they wouldn't touch a file that Windows said not to.

Now I just need to read up on .reg files.
 

·
Team Manager - Networking , Moderator - Micros
Joined
·
4,376 Posts
Open registry editor and move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor

On the menu, click on File, then Export and save as Enable.Reg, or whatever. Then change the Start value to 4 in the registry and save again as Disable.reg.
 

·
TSF Team, Emeritus
Joined
·
2,367 Posts
Discussion Starter · #9 ·
Open registry editor and move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor

On the menu, click on File, then Export and save as Enable.Reg, or whatever. Then change the Start value to 4 in the registry and save again as Disable.reg.
I think that would be a little too complex, I'm working with someone who thinks computers can get viruses through the air. However, I can probably make this part of the entire backup prog that I will probably have to hack together once I get the rest of the programs installed.
 

·
Team Manager - Networking , Moderator - Micros
Joined
·
4,376 Posts
Whatever works best for you... I should have added: If you save the the 2 reg files above to the desktop (or anyplace hidden) all you have to do is double click the reg file to make the changes.
 
1 - 11 of 11 Posts
Status
Not open for further replies.
Top