How to disabled USB key's

[SaintTigurius]

Hey guys

We want to disabled USB key usage at work becuase important info is being leaked out.

but i dont want to disabled to the USB functions on the computer becuase some mice and scanner work of usb. is there a service or type of program or script that i can disabled so it wont allow storage devices to get used. ? we have rights on our pc's which disallow users to install anysoftware, alot of the USB's dont need drivers and work with user right. is there a way to stop this...

Greatly appriciated

 

[Peter]

Windows XP can be set to treat all USB storage as read-only. Google for information on how to do that.

While you're at it, disable the overuse of apostrophes as well

 

[SaintTigurius]

in regedit

local _machine
- system
- currentcontrolset
- StorageDevicePolicies _ create his folder
|
creat a Dword "WriteProtect"

values 0 =disabled writeprotect
1 = enabled the writeprotect

i got this but its only for XPSP2 ..

Win2000 anyone got any sugguestions.

 

[Peter]

The feature was added in XPSP2 for the very reason you stated. Older OS releases no can do, maybe there's 3rd party software that lets you do it.

 

[SaintTigurius]

doo suggestion petey , third party software will take a look..

 

[AbsolutDealage]

Load up regedit, navigate to the following location:

HKLM/System/CurrentControlSet/Enum/USBSTOR

Set the "Start" key to hex "4". I know this works on XP, not sure about 2000.

Also, you can deny the user permissions to the %SystemRoot%\Inf\Usbstor.pnf and %SystemRoot%\Inf\Usbstor.inf files. This will do nothing if the user has previously installed the specific USB key that they are using. You will have to nuke HKLM/System/CurrentControlSet/Enum/USB directory to get rid of the previous definition. Of course, this will nuke any driver definitions for any other connected USB devices.

Assuming that the user is not an administrator, this should work pretty well.

Anyways, I would look at this problem differently. I would try to catch the person in question and have them let go instead of trying to lock down every machine. If the person is persistent enough, there are a million ways to get data out of a system.

 

[MrDudeMan]

Originally posted by: AbsolutDealage
Load up regedit, navigate to the following location:

HKLM/System/CurrentControlSet/Enum/USBSTOR

Set the "Start" key to hex "4". I know this works on XP, not sure about 2000.

Also, you can deny the user permissions to the %SystemRoot%\Inf\Usbstor.pnf and %SystemRoot%\Inf\Usbstor.inf files. This will do nothing if the user has previously installed the specific USB key that they are using. You will have to nuke HKLM/System/CurrentControlSet/Enum/USB directory to get rid of the previous definition. Of course, this will nuke any driver definitions for any other connected USB devices.

Assuming that the user is not an administrator, this should work pretty well.

Anyways, I would look at this problem differently. I would try to catch the person in question and have them let go instead of trying to lock down every machine. If the person is persistent enough, there are a million ways to get data out of a system.

if they cant use key drives or email it to themselves, how else would you get it off?

 

[f95toli]

Depends on what type of info you are trying to protect.
Maybe something as old fashion as a camera? Or a camcorder?
This would work for e.g. blueprints.
There are also ways to record the VGA-signal directly.


I agree with AbsolutDelage, if you are really serious about protecting your data you need to employ people you can trust. Blocking USB-memories might help protect you from "stupid user"-problems (virus attacks etc) but it won't help against real industrial espionage if that is what you are trying to stop.

 

[AbsolutDealage]

Originally posted by: Bigsm00th
if they cant use key drives or email it to themselves, how else would you get it off?

Are you kidding? CD Burner (if equipped, or usb/scsi external), zip drive (if equipped, or usb/scsi/parallel external), external HDD, crack open the case and temporarily install an internal HDD, floppy sets, email it out using webmail, ftp it to somewhere, VPN in and pull it down locally.... should I continue?

 

[SaintTigurius]

thnx for the info guys, i now there are TONS of ways around getting data out of the place,

i am a co-op student here and thats what i was told so i got to do it. lol

 

[VirtualLarry]

Originally posted by: Peter
The feature was added in XPSP2 for the very reason you stated. Older OS releases no can do, maybe there's 3rd party software that lets you do it.

Pretty sure that at this point, there are some 3rd-party storage-stack filter drivers for controlling USB access, for that very reason (the corp. security risks involved).

 

[kranky]

Even though locking out thumb drives and burners isn't foolproof, the one good thing about it is that if you DO catch someone, they can't pretend it was an innocent mistake.