Windows Tip Sheet
USB or Not to Be?
Prevent users from exporting confidential info on USB flash drives.
One of the companies I do a lot of work with is a financial services firm,
and they’ve made corporate paranoia such a part of their culture for so
long, they barely realize that they’re even doing it. For example, one
manufacturer refused to sell them PCs without a 3.5-inch floppy built in (this
was a while back), so they spent about a month finding a utility that would
disable the drives, so that employees couldn’t easily write data to a
disk and walk out the building with it. I won’t even tell you what the
security on their CD burners looks like.
These USB flash drives, however, have been giving them fits. The things fit
on a keychain or in a pocket, hold gobs of data, and work with every computer
they’ve got. They can’t just disable the USB ports, either, since
they went whole-hog with the USB thing and rely on it for keyboards, mice, scanners,
portable tape backup devices, and more. I think they were considering installing
microwave blasters in exterior doorways in an attempt to fry the things; fortunately,
Microsoft came to the rescue.
Windows XP Service Pack 2 brings relief. It’s got a trick which allows
you to mark USB devices as read-only, which means the desktop support guys can
still carry little utilities and whatnot on them, but no data can be written
to them and carried out of the building. You’ll need to edit the registry
to accomplish this, so all the usual registry-editing caveats, warnings, and
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
(create it if it doesn’t exist).
Under that, create a new DWORD value named WriteProtect,
and set it to 1. Restart the computer and you’re
done. Now, I don’t think this value exists under the ultra-convenient
Policies section of the registry, which would allow it to be managed via Group
Policy, which seems like a startling omission. Still, it’s not tough to
write a logon script in VBScript, KiXtart, or whatever that sets this registry
value on any computers you want.
Speaking of USB flash drives: I know “Pen Drive”
is a trademark but the folks at ComputerGear have another take
on the idea. They sell an actual ballpoint pen which is a USB
flash drive. The bottom part is the pen, and the top part—the
cap, basically—pops off and plugs into a USB port. A 256MB
unit runs for $99.99 (MSRP), which is definitely
a lot, and think of how easily you’ll be able to confuse
it with your other ballpoint pens or leave it with your check
at a restaurant after signing the bill.
[Click on image for larger view.]
|Sign your John Hancock in
ink or bits.
- Believe it or not, there’s an industry group on USB flash drives.
Check them out here.
a complete explanation of the write-protect trick, and a batch file that’ll
do it for you on multiple computers.
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.