8 Ways to Protect USB Usage
Don't let Plug and Play become plug and hack your defenses.
- By Roberta Bragg
I love USB. Today I synchronized my calendar with my PDA; recorded some songs
on my MP3 player; grabbed photos off my digital camera; recovered files from
a travel backup of new work when my hard drive failed; and borrowed data off
someone else's computer via my brand new watch—all with the help of USB-enabled
devices and USB computer ports. In the not-too-distant future I may even be
able to boot via
. Just imagine the convenience for system recovery, installation and
These are the things that bring me joy and nightmares. It's like joining the
sexual revolution and then learning about a new sexually transmitted disease.
As a consumer and small-business owner, I'm benefiting from USB's current ubiquity;
but as a consultant and security evangelist, I recommend that you protect yourself
from the risk of data theft and computer compromise by disabling USB ports wherever
possible. You, however, are going to have to determine at what point the risk
outweighs convenience or business advantage. Here are a few things you can do:
1. Disable USB ports in BIOS.
2. Prevent installation of USB device drivers on Windows XP. If no USB storage
device is installed on the computer, assign users or groups Deny permission
on the files usbstor.pnf and usbstor.inf, located at %systemroot%\inf. Doing
so will prevent users from installing a USB storage device on the computer.
3. Disable the use of installed USB devices on Windows XP. If a device is installed,
set its Start value to hexadecimal 4 in the Registry at
Be sure to make a backup, and use caution whenever editing the Registry.
4. Make devices read-only. XP SP2 allows you to give read access on USB devices
requiring it, while also preventing data from being written, through the WriteProtect
value. You'll need to add the DWORD value and set it to hexadecimal 1. Add the
value to the HKEY_LOCAL_MACHINE\
5. Don't allow users to be Administrators. Administrators can undo the things
6. Purchase read-only USB storage devices or USB-to-device bridges. These devices
ensure read-only via USB. One such device is the U2-ATAWP01
7. Purchase software that locks out users from specific USB device types. DeviceLock
is one such device, and it can also prevent access to CD-ROMs, FireWire and
Bluetooth devices as well as IRDA, serial and LPT ports.
8. Remember that all technical controls are just that. If a user has physical
control of the machine, he can enable hardware. If he has proper permissions,
he can change Registry settings. If he's an administrator, he can change permissions
and uninstall software. This doesn't mean ignore the use of technical controls
but to realize their limits.
Finally, create and enforce an acceptable use policy that fits your organization.
Make sure users are required to periodically review and sign that they understand
the policy. An acceptable use policy won't prevent the use of USB devices, but
it does inform users what the policy is, why it exists, and the punishment for
not complying with it. Most users are willing to follow policies they understand.
If there is a violation, though, having a formal acceptable use policy that
is required reading can help support your actions when you discover abuses.
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.