Security Watch

8 Ways to Protect USB Usage

Don't let Plug and Play become plug and hack your defenses.

• By Roberta Bragg
• 10/11/2004

I love USB. Today I synchronized my calendar with my PDA; recorded some songs on my MP3 player; grabbed photos off my digital camera; recovered files from a travel backup of new work when my hard drive failed; and borrowed data off someone else's computer via my brand new watch—all with the help of USB-enabled devices and USB computer ports. In the not-too-distant future I may even be able to boot via USB. Just imagine the convenience for system recovery, installation and so on.

These are the things that bring me joy and nightmares. It's like joining the sexual revolution and then learning about a new sexually transmitted disease. As a consumer and small-business owner, I'm benefiting from USB's current ubiquity; but as a consultant and security evangelist, I recommend that you protect yourself from the risk of data theft and computer compromise by disabling USB ports wherever possible. You, however, are going to have to determine at what point the risk outweighs convenience or business advantage. Here are a few things you can do:

1. Disable USB ports in BIOS.

2. Prevent installation of USB device drivers on Windows XP. If no USB storage device is installed on the computer, assign users or groups Deny permission on the files usbstor.pnf and usbstor.inf, located at %systemroot%\inf. Doing so will prevent users from installing a USB storage device on the computer.

3. Disable the use of installed USB devices on Windows XP. If a device is installed, set its Start value to hexadecimal 4 in the Registry at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor.
Be sure to make a backup, and use caution whenever editing the Registry.

4. Make devices read-only. XP SP2 allows you to give read access on USB devices requiring it, while also preventing data from being written, through the WriteProtect value. You'll need to add the DWORD value and set it to hexadecimal 1. Add the value to the HKEY_LOCAL_MACHINE\
SYSTEM\CurrentControlSet\Control\StorageDevicePolicies key.

5. Don't allow users to be Administrators. Administrators can undo the things you've done.

6. Purchase read-only USB storage devices or USB-to-device bridges. These devices ensure read-only via USB. One such device is the U2-ATAWP01 bridge.

7. Purchase software that locks out users from specific USB device types. DeviceLock is one such device, and it can also prevent access to CD-ROMs, FireWire and Bluetooth devices as well as IRDA, serial and LPT ports.

8. Remember that all technical controls are just that. If a user has physical control of the machine, he can enable hardware. If he has proper permissions, he can change Registry settings. If he's an administrator, he can change permissions and uninstall software. This doesn't mean ignore the use of technical controls but to realize their limits.

Finally, create and enforce an acceptable use policy that fits your organization. Make sure users are required to periodically review and sign that they understand the policy. An acceptable use policy won't prevent the use of USB devices, but it does inform users what the policy is, why it exists, and the punishment for not complying with it. Most users are willing to follow policies they understand. If there is a violation, though, having a formal acceptable use policy that is required reading can help support your actions when you discover abuses.