Executive Summary:

Windows Server 2008, Windows Vista, and Windows XP SP2 include three built-in service accounts, Local System, Local Service, and Network Service, and let you create custom service accounts as well. However, it's best to select the least-privilege account that your service needs to run. Windows XP SP2 and later includes the WriteProtect (Reg_DWORD) registry setting, which you can use to prevent users from writing data to their USB storage devices. In addition, Windows Server 2008 and Windows Vista include more options that restrict which devices can be connected to systems and restrict whether users have read and/or write access to their USB storage devices.