Working at a bank, security is always on my mind. When it comes to security, it's best to try to identity potential problems and devise ways to prevent them. One potential problem I identified on our Windows XP PCs was their USB ports. I wanted to devise a way to keep employees from using the USB ports to carry away bank information on high-capacity USB drives.
To prevent this potential security nightmare, I turned to the registry and some code. Listing 1 contains the code that I added to the logon script for each of our PC users. The code uses regedit.exe with /s parameter (which makes the operation silent) to execute two .reg files: DisableUSBDrive.reg and EnableUSBDrive.reg.
The DisableUSBDrive.reg file, which Figure 1
shows, disables installed USB drives by setting the Start entry to a value of
4 (in hexadecimal format) in the HKEY_ LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR
registry key. This .reg file, though, isn't the only file you need. When you
install a USB storage device for the first time, Windows automatically sets
the Start entry to a value to 3 (enabled). Thus, in this case, the USB device
would remain enabled until the logon script runs again, which means that users
would be able to use the USB storage device until they log off. To prevent this
scenario, the code executes EnableUSBDrive.reg, which Figure
2 shows. This .reg file enables the USBSTOR registry key on any machine
that doesn't have a USB device installed. That way, DisableUSBDrive .reg file
can disable it, preventing any problems. With this solution, the USB storage
devices are disabled on each PC. However, each PC's USB keyboard and mouse are
left fully functional.
- Terry Martin