Securing portable storage devices

With portable storage devices becoming more and more popular, IT staff have had to come up with is ways of protecting the sensitive data on their networks from such devices.

Not only do these devices able to store large amounts of data but they can also carry programs such as browers, utilities and of course keyloggers or other malicious content. This poses a huge security risk to company data and infrastructure. So how do you do your protect yourself from such risks? Well below I will step through a few workarounds that I have come up with:

• One way to disable portable storage devices is to disable the USB functionality all together. This can be done in the BIOS. (each BIOS is different so the steps maybe different for your machine)
• Restart your machine, once the machine is rebooted it should show in the top left or right of the screen "Setup" or "BIOS Config" hit the associated key that shows next to that.
• You may have to search around in some of the menus for "USB Support" or "USB Device" It can usually found in the advanced configuration. Set that to disable. This will disable any USB device that you may have connected to the machine. Including printers, keyboards, mice, PDA's.
• Then you can "Exit and Save"

Of course as mentioned above that this will make all USB devices cease to function. This may or may not be ideal in your particular environment. So there is any other way around this in Windows.

Since Windows has incorporated Plug'n'Play in their operating systems, it has been at times a blessing and in other times it has been a security nightmare. In this case most USB storage devices are automatically installed and don't need administrative privileges to install. One way around that is in a corporate environment is to use policy editor and block all USB devices from being installed. This can also be done in Active Directory group policy editor.

The problem in this method lies in: how do you allow certain devices to work and not others. If you use policy editor it will do it for certain groups or domain wide. However, if you want certain machines, the ability to use USB devices but not storage devices then you can do the following:

• If no USB storage devices have been used then:
• Search for the following files:
• %SystemRoot%\Inf\Usbstor.inf
• %SystemRoot%\Inf\Usbstor.pnf
• Then when you have located then set the permissions to Administrator to Allow and Everyone set to Deny, and other user groups that you don't want installing the device should also be set to Deny.

• If the storage device has been installed then you will need to edit the following key in the registry: !Make changes to the registry at your own risk!
• HKLM\SYSTEM\CurrentControlSet\Services\UsbStor
• Once you have located the above key then you have to change the hexadecimal value to 4.

I have tested the above in Windows 2000 environment, with many different USB keys and it works. Of course one might ask why would you want to allow anyone access to install any USB device. Well when your Administrative staff uses PDA's then you tend to find ways of being secure but allow the people that sign your check the ability to synch their Contacts. As always do adequate testing before implementing anything like this domain wide. If you have any questions drop me a line.