USB Security under Microsoft Windows

Published:
Protect the USB storage device
To disable write access only to USB storage devices (XP SP2 and above only!) set:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies
                      
                      add:
                      
                      DWORD: WriteProtect=1

Open in new window

To disable remove the DWORD value or set it to 0 (zero).

Preventing your USB drive from auto-infecting
Even if the computer is protected it could still become infected on other computers and have a malware autorun.inf and related files added to it, there are two ways to deal with it:

1) Use the following bat file to protect or unprotect your USB drive.  The imbedded instructions assume you named this file usbarpro.bat
@echo off
                      cls
                      if [%1]==[p] goto prot-prot
                      if [%1]==[P] goto prot-prot
                      if [%1]==[u] goto prot-unprot
                      if [%1]==[U] goto prot-unprot
                      ::above - check protect or unprotect
                      goto prot-about
                      :prot-prot
                      if exist %2:\autorun.inf goto prot-bad
                      ::file already exists - break out
                      md %2:\autorun.inf
                      ::make dir
                      md \\.\%2:\autorun.inf\CON
                      ::make illegal file names below
                      echo www.kalman.co.il>\\.\%2:\autorun.inf\CON\PRN
                      echo www.kalman.co.il>\\.\%2:\autorun.inf\LPT1
                      echo www.kalman.co.il>\\.\%2:\autorun.inf\LPT2
                      ::change directory attributes
                      attrib +s +h +r %2:\autorun.inf
                      ::for ntfs file systems remove everyones rights
                      echo y|cacls %2:\autorun.inf /t /c /d system >nul
                      cls
                      echo y|cacls %2:\autorun.inf /t /c /e /r system >nul
                      cls
                      echo Protection activated on drive %2:
                      goto prot-end
                      :prot-unprot
                      echo y|cacls %2:\autorun.inf /t /c /g %username%:f >nul
                      cls
                      attrib -s -h -r %2:\autorun.inf
                      del \\.\%2:\autorun.inf\CON\PRN
                      rd \\.\%2:\autorun.inf\CON
                      del \\.\%2:\autorun.inf\LPT1
                      del \\.\%2:\autorun.inf\LPT2
                      rd %2:\autorun.inf
                      echo Protection removed from drive %2:
                      goto prot-end
                      :prot-bad
                      echo Autorun.inf file/directory already exist on drive %2: - Please remove it first!
                      echo You can also try running this tool with the unprotect option.
                      echo.
                      :prot-about
                      echo Syntax:
                      echo.
                      echo To Protect drive E:	usbarpro p e
                      echo To Unprotect drive E:	usbarpro u e
                      echo.
                      echo DO *NOT* TYPE A COLON AFTER THE DRIVE LETTER!!
                      echo.
                      :prot-end
                      echo.
                      echo.
                      echo USB Autorun Protect Tool V1.2 - Protect the storage device (FAT/FAT32/NTFS)
                      echo (C) All Rights Reserved - Erez Kalman - www.kalman.co.il
                      echo Free for use and distribution, may not be sold/modified in any way!
                      echo.
                      echo.
                      echo on

Open in new window

Note: This USB Security tool (free and open source) bat file is available as a download from the author's site (http://www.kalman.co.il/file-cabinet/usbarpro_v_1_2.rar?attredirects=0)

2) Panda security tool - This tool does NOT allow protection to be removed without fromatting the storage device, unlike the first tool.

Blocking USB storage devices
If this is a new system with no USB storage device ever connected:

Set deny permissions for the user/s and/or group/s to:
%SystemRoot%\Inf\Usbstor.pnf
%SystemRoot%\Inf\Usbstor.inf
It is highly recommended to rename the file names before changing
permissions.

If you aren't sure or know a USB storage device was previously connected:

Either run this on the machine or do what it does, change:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
                      Key: Start
                      
                      To: 4 (Hex)

Open in new window

Disabling autorun (autorun.inf) from being run by your computer
IMPORTANT!! Read this page by US-CERT: Systems must have KB953252 (Vista/2008) or KB967715.
If you do not have the KB on all systems, update them and/or use the following method recommended by US-CERT, create a .reg file with:
REGEDIT4
                      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
                      @="@SYS:DoesNotExist"

Open in new window

It is critical to restart the system after updating the registry or deleting the registry key:
     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

If they have the KB then you can use the official Microsoft method for disabling autorun.

Conficker / Downad virus
You can visit www.kalman.co.il/conficker_downad to use the "eye chart" and see if your computer is infected.
To clean your computer use the McAfee STINGER tool, to scan your network use the McAfee Conficker detection tool.
Remember - ALL computers must be patched, especially with Microsoft patch MS08-67
1
4,401 Views

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.