- by Chad, "The Dream", Weaver
Security in any organization is becoming more and more important and as all data we have moves to the digital age, data theft has become a real part of life. We have all seen the stories in the news on the different hacks against various organizations. A well thought out and executed IT security plan with regular testing is a great place to start. These types of attacks and data thefts take skill and understanding of how many systems work, there is much more, low tech and real dangers to data that should be considered. What happens when a disgruntled employee or a contractor connects a USB drive on one of your systems and copies data, or even burns to a CD and walks out with important information? Remember Wiki Leaks? They got the top secret data when a user copied data to a CD and walked out with it.
Locking out the usage of USB storage drives is something that should be considered and I am going to show you how. There are many different websites out there that give a quick fix, but I discovered after extensive testing, especially on Windows 7 that that procedure is less than effective. The first thing we need to do to lock out the USB Storage system for drives already installed on the system.
The registry key located here HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor labeled Start needs to be set to 4.
By default this key is set to 3, which is for enabled. This will keep all current devices installed from starting. Now what happens when a new unique drive is attached to the system, autorun kicks in and resets this key to 3 and not only will the new key work all previous keys will now work again. This completely cancels out this from working.
We need a way to prevent any new drives from installing and still prevent the old ones from being used too. The Microsoft KB article out there states that adding a deny permission to the two files located at c:\windows\inf\ the files are usbstor.inf and usbstor.pnf will prevent new USB drives from working, I can attest that while this does seem to work on XP systems this does nothing to Windows 7 PCs in any way; all new drives install without a hitch. The only thing that I found that works is renaming the file, by renaming the file, the system cannot find the driver and will fail when attempting to install any USB drive to the system. I created a group policy that sets the required registry key, this works with 2008 domain controllers but you can create a .reg file to make the change too. As for the renaming of the driver .inf and .pnf files, a simple script can be created to make that change during login for the users. If you're not sure about changing the settings for your network, call us and we can help you along the way.