<

USB Security under Microsoft Windows

Published on
10,236 Points
4,136 Views
1 Endorsement
Last Modified:
Approved
Protect the USB storage device
To disable write access only to USB storage devices (XP SP2 and above only!) set:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies

add:

DWORD: WriteProtect=1

Open in new window

To disable remove the DWORD value or set it to 0 (zero).

Preventing your USB drive from auto-infecting
Even if the computer is protected it could still become infected on other computers and have a malware autorun.inf and related files added to it, there are two ways to deal with it:

1) Use the following bat file to protect or unprotect your USB drive.  The imbedded instructions assume you named this file usbarpro.bat
@echo off
cls
if [%1]==[p] goto prot-prot
if [%1]==[P] goto prot-prot
if [%1]==[u] goto prot-unprot
if [%1]==[U] goto prot-unprot
::above - check protect or unprotect
goto prot-about
:prot-prot
if exist %2:\autorun.inf goto prot-bad
::file already exists - break out
md %2:\autorun.inf
::make dir
md \\.\%2:\autorun.inf\CON
::make illegal file names below
echo www.kalman.co.il>\\.\%2:\autorun.inf\CON\PRN
echo www.kalman.co.il>\\.\%2:\autorun.inf\LPT1
echo www.kalman.co.il>\\.\%2:\autorun.inf\LPT2
::change directory attributes
attrib +s +h +r %2:\autorun.inf
::for ntfs file systems remove everyones rights
echo y|cacls %2:\autorun.inf /t /c /d system >nul
cls
echo y|cacls %2:\autorun.inf /t /c /e /r system >nul
cls
echo Protection activated on drive %2:
goto prot-end
:prot-unprot
echo y|cacls %2:\autorun.inf /t /c /g %username%:f >nul
cls
attrib -s -h -r %2:\autorun.inf
del \\.\%2:\autorun.inf\CON\PRN
rd \\.\%2:\autorun.inf\CON
del \\.\%2:\autorun.inf\LPT1
del \\.\%2:\autorun.inf\LPT2
rd %2:\autorun.inf
echo Protection removed from drive %2:
goto prot-end
:prot-bad
echo Autorun.inf file/directory already exist on drive %2: - Please remove it first!
echo You can also try running this tool with the unprotect option.
echo.
:prot-about
echo Syntax:
echo.
echo To Protect drive E:	usbarpro p e
echo To Unprotect drive E:	usbarpro u e
echo.
echo DO *NOT* TYPE A COLON AFTER THE DRIVE LETTER!!
echo.
:prot-end
echo.
echo.
echo USB Autorun Protect Tool V1.2 - Protect the storage device (FAT/FAT32/NTFS)
echo (C) All Rights Reserved - Erez Kalman - www.kalman.co.il
echo Free for use and distribution, may not be sold/modified in any way!
echo.
echo.
echo on

Open in new window

Note: This USB Security tool (free and open source) bat file is available as a download from the author's site (http://www.kalman.co.il/file-cabinet/usbarpro_v_1_2.rar?attredirects=0)

2) Panda security tool - This tool does NOT allow protection to be removed without fromatting the storage device, unlike the first tool.

Blocking USB storage devices
If this is a new system with no USB storage device ever connected:

Set deny permissions for the user/s and/or group/s to:
%SystemRoot%\Inf\Usbstor.pnf
%SystemRoot%\Inf\Usbstor.inf
It is highly recommended to rename the file names before changing
permissions.

If you aren't sure or know a USB storage device was previously connected:

Either run this on the machine or do what it does, change:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
Key: Start

To: 4 (Hex)

Open in new window

Disabling autorun (autorun.inf) from being run by your computer
IMPORTANT!! Read this page by US-CERT: Systems must have KB953252 (Vista/2008) or KB967715.
If you do not have the KB on all systems, update them and/or use the following method recommended by US-CERT, create a .reg file with:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Open in new window

It is critical to restart the system after updating the registry or deleting the registry key:
     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

If they have the KB then you can use the official Microsoft method for disabling autorun.

Conficker / Downad virus
You can visit www.kalman.co.il/conficker_downad to use the "eye chart" and see if your computer is infected.
To clean your computer use the McAfee STINGER tool, to scan your network use the McAfee Conficker detection tool.
Remember - ALL computers must be patched, especially with Microsoft patch MS08-67
1
Author:kaerez
Enjoy this complimentary article view.

Get unlimited access to our entire library of technical procedures, guides, and tutorials written by certified industry professionals.

Get 7 days free
Click here to view the full article

Using this article for work? Experts Exchange can benefit your whole team.

Learn More
COLLABORATE WITH CERTIFIED PROFESSIONALS
Experts Exchange is a tech solutions provider where users receive personalized tech help from vetted certified professionals. These industry professionals also write and publish relevant articles on our site.
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Learn from the best.