USB Security under Microsoft Windows: usb, security, windows

Protect the USB storage device
To disable write access only to USB storage devices (XP SP2 and above only!) set:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies

add:

DWORD: WriteProtect=1

1:
2:
3:
4:
5:

Select all Open in new window

To disable remove the DWORD value or set it to 0 (zero).

Preventing your USB drive from auto-infecting
Even if the computer is protected it could still become infected on other computers and have a malware autorun.inf and related files added to it, there are two ways to deal with it:

1) Use the following bat file to protect or unprotect your USB drive. The imbedded instructions assume you named this file usbarpro.bat

@echo off
cls
if [%1]==[p] goto prot-prot
if [%1]==[P] goto prot-prot
if [%1]==[u] goto prot-unprot
if [%1]==[U] goto prot-unprot
::above - check protect or unprotect
goto prot-about
:prot-prot
if exist %2:\autorun.inf goto prot-bad
::file already exists - break out
md %2:\autorun.inf
::make dir
md \\.\%2:\autorun.inf\CON
::make illegal file names below
echo www.kalman.co.il>\\.\%2:\autorun.inf\CON\PRN
echo www.kalman.co.il>\\.\%2:\autorun.inf\LPT1
echo www.kalman.co.il>\\.\%2:\autorun.inf\LPT2
::change directory attributes
attrib +s +h +r %2:\autorun.inf
::for ntfs file systems remove everyones rights
echo y|cacls %2:\autorun.inf /t /c /d system >nul
cls
echo y|cacls %2:\autorun.inf /t /c /e /r system >nul
cls
echo Protection activated on drive %2:
goto prot-end
:prot-unprot
echo y|cacls %2:\autorun.inf /t /c /g %username%:f >nul
cls
attrib -s -h -r %2:\autorun.inf
del \\.\%2:\autorun.inf\CON\PRN
rd \\.\%2:\autorun.inf\CON
del \\.\%2:\autorun.inf\LPT1
del \\.\%2:\autorun.inf\LPT2
rd %2:\autorun.inf
echo Protection removed from drive %2:
goto prot-end
:prot-bad
echo Autorun.inf file/directory already exist on drive %2: - Please remove it first!
echo You can also try running this tool with the unprotect option.
echo.
:prot-about
echo Syntax:
echo.
echo To Protect drive E:	usbarpro p e
echo To Unprotect drive E:	usbarpro u e
echo.
echo DO *NOT* TYPE A COLON AFTER THE DRIVE LETTER!!
echo.
:prot-end
echo.
echo.
echo USB Autorun Protect Tool V1.2 - Protect the storage device (FAT/FAT32/NTFS)
echo (C) All Rights Reserved - Erez Kalman - www.kalman.co.il
echo Free for use and distribution, may not be sold/modified in any way!
echo.
echo.
echo on

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:

Select all Open in new window

Note: This USB Security tool (free and open source) bat file is available as a download from the author's site (http://www.kalman.co.il/file-cabinet/usbarpro_v_1_2.rar?attredirects=0)

2) Panda security tool - This tool does NOT allow protection to be removed without fromatting the storage device, unlike the first tool.

Blocking USB storage devices
If this is a new system with no USB storage device ever connected:

Set deny permissions for the user/s and/or group/s to:
%SystemRoot%\Inf\Usbstor.pnf
%SystemRoot%\Inf\Usbstor.inf
It is highly recommended to rename the file names before changing
permissions.

If you aren't sure or know a USB storage device was previously connected:

Either run this on the machine or do what it does, change:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
Key: Start

To: 4 (Hex)

1:
2:
3:
4:

Select all Open in new window

Disabling autorun (autorun.inf) from being run by your computer
IMPORTANT!! Read this page by US-CERT: Systems must have KB953252 (Vista/2008) or KB967715.
If you do not have the KB on all systems, update them and/or use the following method recommended by US-CERT, create a .reg file with:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

1:
2:
3:

Select all Open in new window

It is critical to restart the system after updating the registry or deleting the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

If they have the KB then you can use the official Microsoft method for disabling autorun.

Conficker / Downad virus
You can visit www.kalman.co.il/conficker_downad to use the "eye chart" and see if your computer is infected.
To clean your computer use the McAfee STINGER tool, to scan your network use the McAfee Conficker detection tool.
Remember - ALL computers must be patched, especially with Microsoft patch MS08-67

USB Security under Microsoft Windows

usb

security

windows

Miscellaneous Security

About The Author

More Articles From kaerez

Comments

Add your Comment

Join Experts Exchange Today

Gain Access to all our Tech Resources

Get personalized answers

Access Proven Solutions

Read In-Depth How-To Guides

Watch Step by Step Tutorials

And Much More!

Top Misc Security Experts