Windows Tip Sheet

USB or Not to Be?

Prevent users from exporting confidential info on USB flash drives.

One of the companies I do a lot of work with is a financial services firm, and they’ve made corporate paranoia such a part of their culture for so long, they barely realize that they’re even doing it. For example, one manufacturer refused to sell them PCs without a 3.5-inch floppy built in (this was a while back), so they spent about a month finding a utility that would disable the drives, so that employees couldn’t easily write data to a disk and walk out the building with it. I won’t even tell you what the security on their CD burners looks like.

These USB flash drives, however, have been giving them fits. The things fit on a keychain or in a pocket, hold gobs of data, and work with every computer they’ve got. They can’t just disable the USB ports, either, since they went whole-hog with the USB thing and rely on it for keyboards, mice, scanners, portable tape backup devices, and more. I think they were considering installing microwave blasters in exterior doorways in an attempt to fry the things; fortunately, Microsoft came to the rescue.

Windows XP Service Pack 2 brings relief. It’s got a trick which allows you to mark USB devices as read-only, which means the desktop support guys can still carry little utilities and whatnot on them, but no data can be written to them and carried out of the building. You’ll need to edit the registry to accomplish this, so all the usual registry-editing caveats, warnings, and provisions apply.

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
StorageDevicePolicies
(create it if it doesn’t exist).

Under that, create a new DWORD value named WriteProtect, and set it to 1. Restart the computer and you’re done. Now, I don’t think this value exists under the ultra-convenient Policies section of the registry, which would allow it to be managed via Group Policy, which seems like a startling omission. Still, it’s not tough to write a logon script in VBScript, KiXtart, or whatever that sets this registry value on any computers you want.

Cool Gadget
SoapBox Server 2005
[Click on image for larger view.]
Sign your John Hancock in ink or bits.
Speaking of USB flash drives: I know “Pen Drive” is a trademark but the folks at ComputerGear have another take on the idea. They sell an actual ballpoint pen which is a USB flash drive. The bottom part is the pen, and the top part—the cap, basically—pops off and plugs into a USB port. A 256MB unit runs for $99.99 (MSRP), which is definitely a lot, and think of how easily you’ll be able to confuse it with your other ballpoint pens or leave it with your check at a restaurant after signing the bill.

More Resources:

  • Believe it or not, there’s an industry group on USB flash drives. Check them out here.
  • Here’s a complete explanation of the write-protect trick, and a batch file that’ll do it for you on multiple computers.

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.

comments powered by Disqus
Most   Popular

SharePoint Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.