I went through something similar a few months ago trying to combat company espionage. The best I could do was prevent ALL USB storage or nothing. This was on a Win7 machine which has some built in policies for this. For Win XP I couldn't find one. All I have in my notes for XP is a registry key to disable USB storage devices globally. I'd be interested in hearing other ideas as well.
Restict Certain USB Removable Storage Devices
I would like to restrict certain USB removable storage devices from an un-networked Windows XP Professional SP3 desktop. This is the sort of system where a virus or other malware would be very inconvenient.
I would like to allow certain USB hard drives to have read-write-whatever privileges, all other USB removable storage devices to get no privileges, and all other devices to be unaffected. I would like this to be applied to all three accounts (Administrator, Normal, and ASP).
The problem is, the hard drives will have to be replaced from time to time in order to minimise "spontaneous" failure. This means that the solution provided by Microsoft will not be ideal.
I can't use the "Administrator Only" functions because the owner shares the Administrator password with all of his employees. I have explained to him time and time again why this is a Very Bad Idea, and I don't know why I bothered.
If anyone has any ideas, they will be considered.
I would like to allow certain USB hard drives to have read-write-whatever privileges, all other USB removable storage devices to get no privileges, and all other devices to be unaffected. I would like this to be applied to all three accounts (Administrator, Normal, and ASP).
The problem is, the hard drives will have to be replaced from time to time in order to minimise "spontaneous" failure. This means that the solution provided by Microsoft will not be ideal.
I can't use the "Administrator Only" functions because the owner shares the Administrator password with all of his employees. I have explained to him time and time again why this is a Very Bad Idea, and I don't know why I bothered.
If anyone has any ideas, they will be considered.
- Status
- Not open for further replies.
1 - 11 of 11 Posts
I found this link, but not sure if it's really any different to what Fred is coming up with. Pretty sure it's the same as disabling them.
I was trying to figure out a way earlier today when I read your question to see if I could manually change the drive letter of the USB (say to Y) and restrict certain rights to the Y:\ Drive. Still trying to figure out how though. That way certain USB's would be allowed and you could then disable access to all others?
I was trying to figure out a way earlier today when I read your question to see if I could manually change the drive letter of the USB (say to Y) and restrict certain rights to the Y:\ Drive. Still trying to figure out how though. That way certain USB's would be allowed and you could then disable access to all others?
Yes, the instructions in that link are essentially what I was referring to. It's not too big a deal if an Admin has to go in and change the reg value from 4 to 3 to use a USB drive occasionally, but that was the best I could do. I think some of those instructions also rely on a domain using AD to control permissions.
I suppose it'll have to do. I could always write a batch file or simple C++ prog to switch the values when required.
That's a good idea, or at least a .Reg file to run. It makes me think of something like a start up script and a log off script set for a specific admin user. Though I don't remember if a reboot is required for the registry change to take effect. If you do find anything else useful, please post back.I suppose it'll have to do. I could always write a batch file
A reboot is not required, only the USB drive must be power cycled.
I think a .reg file would be better, it is more . . . intimidating. The employees are about as tech savvy as a monkey, they wouldn't touch a file that Windows said not to.
Now I just need to read up on .reg files.
I think a .reg file would be better, it is more . . . intimidating. The employees are about as tech savvy as a monkey, they wouldn't touch a file that Windows said not to.
Now I just need to read up on .reg files.
Open registry editor and move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
On the menu, click on File, then Export and save as Enable.Reg, or whatever. Then change the Start value to 4 in the registry and save again as Disable.reg.
On the menu, click on File, then Export and save as Enable.Reg, or whatever. Then change the Start value to 4 in the registry and save again as Disable.reg.
I think that would be a little too complex, I'm working with someone who thinks computers can get viruses through the air. However, I can probably make this part of the entire backup prog that I will probably have to hack together once I get the rest of the programs installed.Open registry editor and move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
On the menu, click on File, then Export and save as Enable.Reg, or whatever. Then change the Start value to 4 in the registry and save again as Disable.reg.
Whatever works best for you... I should have added: If you save the the 2 reg files above to the desktop (or anyplace hidden) all you have to do is double click the reg file to make the changes.
I don't think you can do that because FAT32, the default file type for flash drives, does not have that kind of security.
1 - 11 of 11 Posts
- Status
- Not open for further replies.
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Top Contributors this Month
View All
spunk.funk
137 Replies
wolfen1086
50 Replies
SpywareDr
50 Replies
Recommended Communities
