Working at a bank, security is always on my mind. When it comes to security, it's best to try to identity potential problems and devise ways to prevent them. One potential problem I identified on our Windows XP PCs was their USB ports. I wanted to devise a way to keep employees from using the USB ports to carry away bank information on high-capacity USB drives.
To prevent this potential security nightmare, I turned to the registry and some code. Listing 1 contains the code that I added to the logon script for each of our PC users. The code uses regedit.exe with /s parameter (which makes the operation silent) to execute two .reg files: DisableUSBDrive.reg and EnableUSBDrive.reg.
The DisableUSBDrive.reg file, which Figure 1 shows, disables installed USB drives by setting the Start entry to a value of 4 (in hexadecimal format) in the HKEY_ LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR registry key. This .reg file, though, isn't the only file you need. When you install a USB storage device for the first time, Windows automatically sets the Start entry to a value to 3 (enabled). Thus, in this case, the USB device would remain enabled until the logon script runs again, which means that users would be able to use the USB storage device until they log off. To prevent this scenario, the code executes EnableUSBDrive.reg, which Figure 2 shows. This .reg file enables the USBSTOR registry key on any machine that doesn't have a USB device installed. That way, DisableUSBDrive .reg file can disable it, preventing any problems. With this solution, the USB storage devices are disabled on each PC. However, each PC's USB keyboard and mouse are left fully functional.
- Terry Martin