<

USB Security under Microsoft Windows

Published on
10,161 Points
4,061 Views
1 Endorsement
Last Modified:
Approved
Protect the USB storage device
To disable write access only to USB storage devices (XP SP2 and above only!) set:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies

add:

DWORD: WriteProtect=1

Open in new window

To disable remove the DWORD value or set it to 0 (zero).

Preventing your USB drive from auto-infecting
Even if the computer is protected it could still become infected on other computers and have a malware autorun.inf and related files added to it, there are two ways to deal with it:

1) Use the following bat file to protect or unprotect your USB drive.  The imbedded instructions assume you named this file usbarpro.bat
@echo off
cls
if [%1]==[p] goto prot-prot
if [%1]==[P] goto prot-prot
if [%1]==[u] goto prot-unprot
if [%1]==[U] goto prot-unprot
::above - check protect or unprotect
goto prot-about
:prot-prot
if exist %2:\autorun.inf goto prot-bad
::file already exists - break out
md %2:\autorun.inf
::make dir
md \\.\%2:\autorun.inf\CON
::make illegal file names below
echo www.kalman.co.il>\\.\%2:\autorun.inf\CON\PRN
echo www.kalman.co.il>\\.\%2:\autorun.inf\LPT1
echo www.kalman.co.il>\\.\%2:\autorun.inf\LPT2
::change directory attributes
attrib +s +h +r %2:\autorun.inf
::for ntfs file systems remove everyones rights
echo y|cacls %2:\autorun.inf /t /c /d system >nul
cls
echo y|cacls %2:\autorun.inf /t /c /e /r system >nul
cls
echo Protection activated on drive %2:
goto prot-end
:prot-unprot
echo y|cacls %2:\autorun.inf /t /c /g %username%:f >nul
cls
attrib -s -h -r %2:\autorun.inf
del \\.\%2:\autorun.inf\CON\PRN
rd \\.\%2:\autorun.inf\CON
del \\.\%2:\autorun.inf\LPT1
del \\.\%2:\autorun.inf\LPT2
rd %2:\autorun.inf
echo Protection removed from drive %2:
goto prot-end
:prot-bad
echo Autorun.inf file/directory already exist on drive %2: - Please remove it first!
echo You can also try running this tool with the unprotect option.
echo.
:prot-about
echo Syntax:
echo.
echo To Protect drive E:	usbarpro p e
echo To Unprotect drive E:	usbarpro u e
echo.
echo DO *NOT* TYPE A COLON AFTER THE DRIVE LETTER!!
echo.
:prot-end
echo.
echo.
echo USB Autorun Protect Tool V1.2 - Protect the storage device (FAT/FAT32/NTFS)
echo (C) All Rights Reserved - Erez Kalman - www.kalman.co.il
echo Free for use and distribution, may not be sold/modified in any way!
echo.
echo.
echo on

Open in new window

Note: This USB Security tool (free and open source) bat file is available as a download from the author's site (http://www.kalman.co.il/file-cabinet/usbarpro_v_1_2.rar?attredirects=0)

2) Panda security tool - This tool does NOT allow protection to be removed without fromatting the storage device, unlike the first tool.

Blocking USB storage devices
If this is a new system with no USB storage device ever connected:

Set deny permissions for the user/s and/or group/s to:
%SystemRoot%\Inf\Usbstor.pnf
%SystemRoot%\Inf\Usbstor.inf
It is highly recommended to rename the file names before changing
permissions.

If you aren't sure or know a USB storage device was previously connected:

Either run this on the machine or do what it does, change:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
Key: Start

To: 4 (Hex)

Open in new window

Disabling autorun (autorun.inf) from being run by your computer
IMPORTANT!! Read this page by US-CERT: Systems must have KB953252 (Vista/2008) or KB967715.
If you do not have the KB on all systems, update them and/or use the following method recommended by US-CERT, create a .reg file with:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Open in new window

It is critical to restart the system after updating the registry or deleting the registry key:
     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

If they have the KB then you can use the official Microsoft method for disabling autorun.

Conficker / Downad virus
You can visit www.kalman.co.il/conficker_downad to use the "eye chart" and see if your computer is infected.
To clean your computer use the McAfee STINGER tool, to scan your network use the McAfee Conficker detection tool.
Remember - ALL computers must be patched, especially with Microsoft patch MS08-67
1
Comment
Author:kaerez
0 Comments

Featured Post

Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Join & Write a Comment

In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month