Windows Tip Sheet

USB or Not to Be?

Prevent users from exporting confidential info on USB flash drives.

• By Don Jones
• 01/19/2005

One of the companies I do a lot of work with is a financial services firm, and they’ve made corporate paranoia such a part of their culture for so long, they barely realize that they’re even doing it. For example, one manufacturer refused to sell them PCs without a 3.5-inch floppy built in (this was a while back), so they spent about a month finding a utility that would disable the drives, so that employees couldn’t easily write data to a disk and walk out the building with it. I won’t even tell you what the security on their CD burners looks like.

These USB flash drives, however, have been giving them fits. The things fit on a keychain or in a pocket, hold gobs of data, and work with every computer they’ve got. They can’t just disable the USB ports, either, since they went whole-hog with the USB thing and rely on it for keyboards, mice, scanners, portable tape backup devices, and more. I think they were considering installing microwave blasters in exterior doorways in an attempt to fry the things; fortunately, Microsoft came to the rescue.

Windows XP Service Pack 2 brings relief. It’s got a trick which allows you to mark USB devices as read-only, which means the desktop support guys can still carry little utilities and whatnot on them, but no data can be written to them and carried out of the building. You’ll need to edit the registry to accomplish this, so all the usual registry-editing caveats, warnings, and provisions apply.

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
StorageDevicePolicies (create it if it doesn’t exist).

Under that, create a new DWORD value named WriteProtect, and set it to 1. Restart the computer and you’re done. Now, I don’t think this value exists under the ultra-convenient Policies section of the registry, which would allow it to be managed via Group Policy, which seems like a startling omission. Still, it’s not tough to write a logon script in VBScript, KiXtart, or whatever that sets this registry value on any computers you want.

Cool Gadget [Click on image for larger view.] Sign your John Hancock in ink or bits. Speaking of USB flash drives: I know “Pen Drive” is a trademark but the folks at ComputerGear have another take on the idea. They sell an actual ballpoint pen which is a USB flash drive. The bottom part is the pen, and the top part—the cap, basically—pops off and plugs into a USB port. A 256MB unit runs for $99.99 (MSRP), which is definitely a lot, and think of how easily you’ll be able to confuse it with your other ballpoint pens or leave it with your check at a restaurant after signing the bill.

More Resources:

• Believe it or not, there’s an industry group on USB flash drives. Check them out here.
• Here’s a complete explanation of the write-protect trick, and a batch file that’ll do it for you on multiple computers.