Many users and organizations are quietly abandoning floppies or CDs as a quick way to move data from computer to computer or store data offline. Instead, they are using solid-state USB "keychain" drives. They're small, lightweight, durable, don't require power and can store up to 1GB or more.
These handy drives are also quickly becoming recognized as a security hazard. Not only can they bring malicious executables into an organization (either deliberately or by accident), but they also can easily be used to transport sensitive data out of an organization. For that reason, many companies are instituting a zero-tolerance policy: no removable drives, especially USB "keychain" drives, are allowed. (In some organizations, this policy has also extended to include Apple's iPod, which can also be used as a mass storage device.)
One way to enforce a ban on removable USB drives is with an administrative template (.ADM) file like the one shown below. This template disables the USBSTOR service, which prevents any USB mass-storage devices from being mounted and keeps the service from being manually restarted, as well. It's also possible to use a variant of this script to prevent 1394/FireWire drives from being mounted by disabling the OHCI1394 service instead of USBSTOR.
Note that this script cannot be used to selectively block USB drives; it's all or nothing. Don't use it if you want to allow some USB drives but prohibit others.
CLASS MACHINE
CATEGORY !!"Restrict USB Drives"
POLICY !!"Disable USB Drives"
KEYNAME "SYSTEMCurrentControlSetServicesUSBSTOR"
EXPLAIN !!explaintext
PART !!labeltext DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
[strings]
categoryname="Restrict Drives"
policyname="Disable the USB Drive"
explaintext="Disables the computers USB Drive completely"
labeltext="Disable USB Drive"
Enabled="Enabled"
Disabled="Disabled"
For more granular control over what devices to allow or block, a commercial program named DeviceLock may be one possible solution. It has a 30-day trial version available.
Special thanks to Srikanth N. for this script.
Do you have comments on this tip? Let us know.
