digg

Facebook Connect Join Digg About

Simple hack to disable USB drives in XP - Perfect for public machines

intelliadmin.com A simple hack to disable all access to USB drives on XP, without disabling USB mice, or keyboards.

Who dugg this? Made popular Apr 28, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

73 Comments

show profanity settings
expand all
  • ccanni1028, on 10/12/2007, -0/+16Them making the simple program for it can be very useful, but I have one question. Will this program run off of a flash drive?
  • pt4117, on 10/12/2007, -0/+9Plus, who keeps sensitive data on a public machine?
  • halc5s, on 10/12/2007, -0/+9You can also make them read-only in the event that you use them, but don't want people to steal data.

    http://thelazyadmin.com/index.php?/archives/108-Disable-Write-Access-to-Removable-Storage-Devices.html
  • deepsub, on 10/12/2007, -0/+8How is this perfect for public machines? Most people that I know carry around USB sticks to plug into public machines so they can access their files w/o storing them on said machine.
  • tazamore, on 10/12/2007, -0/+7Now you just need to make sure the user can't edit the registry:
    http://www.jsifaq.com/SUBA/tip0100/rh0119.htm
    ...but there's ways around that too:
    http://www.icpug.org.uk/national/features/030607fe.htm

  • dnthomps, on 10/12/2007, -0/+6Yeah... my work seems to have got ahold of this.
  • tazamore, on 10/12/2007, -2/+8Reminds me of a prank: unplug target device, paint clear nail polish on the prongs of electrical plug, allow to dry, plug back in, watch confused device owner try to power it back on.
  • inactive, on 10/12/2007, -4/+10Proginoskes, I've found a foolproof way to get BT working on any XP SP2 machine. If you want the link, i'll put it here later on when I find it. It's actually a post i made on the MSI forum so you could check that out, if you want. http://forum.msi.com.tw
  • jfence, on 10/12/2007, -6/+11Ok.. but what if you want to enable only USB storage, but disable any other USB devices?
  • adml_shake, on 10/12/2007, -0/+5Thats fine and dandy assuming that your boss is someone who can remember his password. My boss on the other hand had to have his limit set higher before his account was locked out because he couldn't ever seem to remember if his password was his wifes name or one of his hundred girls on the side he seemed to have......
  • Petronski, on 10/12/2007, -1/+6Too bad there aren't three choices:

    Read/write
    Read only
    Disable
  • YourTechSupport, on 10/12/2007, -2/+7Easiest and fastest way to steal corporate info and employee data is to just steal the laptop of the highest ranking idiot you can find.
  • nealibob, on 10/12/2007, -1/+5Yes but the storage device needs the USB mass storage drivers to work, which are supposedly disabled here.

    If I tell my gasoline engine that I'm giving it gasoline and put diesel in instead, the engine is not going to run as if it had gasoline.
  • wmbattsjr, on 10/12/2007, -0/+4Ok, I'm having a hard time understanding the logic here (could be me). If you are worried someone is going to rip off the contents of your hard drive, then disabling software drivers should be about the last step in your lockdown procedure. If I were looking to steal someone's data I would bring my USB drive with FlashLinux installed, boot off that, mount the hard drive and go plundering. Your first step should be to configure your BIOS to never boot off of anything but the hard drive and password it. Going a step further, you'd better lock your case or otherwise be sure I can't reset your BIOS to clear its settings or else you've wasted your time. Physical security first. Then again, this article might assume you've already done all of this, it didn't explicitly state it.
  • jarbro, on 07/23/2009, -0/+3this can also be achieved through a group policy in active directory.
  • joel2127, on 10/12/2007, -1/+4That is easy - the things you mention require a third party driver. The problem is the fact that storage drivers for USB are built into windows, and even a limited user account can pop in a USB key and pull data off. The same cannot be said about bluetooth devices.
  • jambarama, on 10/12/2007, -0/+3Yes. iPods use the "mass storage device" driver as well (since 2G I believe - as long as they've been FAT). This trick disables that driver, so iPods won't work either. Which is good if you are worried about security. Have you seen podslurp? http://www.sharp-ideas.net/pod_slurping.php
  • Jetfire, on 10/12/2007, -0/+3That’s why you should put shredder software and encrypt the Hard Drive. 3 Bad passwords and HDD gets wiped hard. They can’t read a pulled HDD because it’s encrypted.
  • Kitsune818, on 10/12/2007, -0/+3You work in an SCIF and you allow people to even have USB keys in the first place??
  • adml_shake, on 10/12/2007, -0/+3my friend works IT for some company that actually has the cell phone linked to the laptop. Not only do you have to have the passwords, but that cellphone (using BT i'm sure) has to be within 40ft of the laptop, otherwise it will not work. It has some sort of key built into it, that transmits it to the laptop. He said it cost them a ***** load of $$ but the higher ups thought it was a good idea for the people that are on the road all the time.
  • skatingrox, on 10/12/2007, -0/+3Any chance you got the wrong article?
  • Mesach, on 10/12/2007, -1/+3With a name like Khlept0

    I'm not sure I would hire you to be incharge of sensitive information.
  • Proginoskes, on 10/12/2007, -1/+3Ha ha ha!!! Have you ever tried installing a USB Bluetooth dongle in a Windows computer that didn't already have Bluetooth drivers loaded? It's a bloody nightmare. Don't try this at home.

    (Well, I suppose YMMV, but I'm not likely to try it again myself.)
  • Kitsune818, on 10/12/2007, -0/+2Would this block an iPod?
  • Kitsune818, on 10/12/2007, -1/+3That depends, is it a Lada or a Yugo?
  • thisisjace, on 10/12/2007, -0/+2Link from Msft: http://support.microsoft.com/default.aspx?scid=kb;en-us;555324
  • adml_shake, on 10/12/2007, -3/+5Why was that modded down? Thats actually a very good question.
  • Khlept0, on 10/12/2007, -2/+4No, we don't allow USB drives, but they should be disabled just in case.

    And why wouldn't I surf digg in a SCIF? It's just a webpage on an unclassified computer. All the networks are separate.

    Typical.... people jumping to conclusions.

    Tom Smykowski: It's a "Jump to Conclusions mat". You see, you have this mat, with different CONCLUSIONS written on it that you could JUMP TO.
    Michael Bolton: That's the worst idea I've ever heard in my life, Tom.
    Samir: Yes, this is horrible, this idea.
  • svnft, on 10/12/2007, -0/+2Kind of scary that sysAdmins at a place where information is so sensitive are just starting to think about this...
  • grid212, on 10/12/2007, -0/+1Maybe this is the wrong place to ask but what I and probably many other people want to know is how do we circumvent this. My PC's USB port is the only way I can charge my iPod during the 8 long hours I spend in the corporate meat grinder. Now if I forget to charge my iPod I'm screwed.

    I'm friendly with one of the SysAdmins where I work and they've informed me that the auditing method this software uses is synchronous which means that in theory if I unplug my LAN cable I can plug things into my USB port for power. Rather than asynchronous in that it stores some sort of local log that it uploads to the server at a fixed time each day.

    Can anyone confirm this?
  • randomc0de, on 10/12/2007, -0/+1@Nealibob

    http://www.thinkgeek.com/gadgets/electronic/5a05/
    Looks pretty opaque to me.
  • heeerrresjonny, on 10/12/2007, -0/+1ok there are a lot of different people on digg...and a lot of stuff no one NEEDS to know or hear about, it's interesting. If you don't like it browse to a different story man, that's the whole point...
  • tidejwe, on 10/12/2007, -0/+1My work does this too. But what's to stop someone from just putting mini-linux on a flash-drive, reboot the system, boot up in linux off the flash drive, uninstall/delete this "HACK" (ie modification), and reboot back into XP with everything all fixed and running as normal? If someone really wants to use it, there's no stopping them with this...but at least it'll keep the n00b's busy.
  • keithgabryelski, on 10/12/2007, -0/+1wouldn't it be simpler to just use a pair of pliers?
  • SpacemanSpiff, on 10/12/2007, -0/+1"Kind of scary that sysAdmins at a place where information is so sensitive are just starting to think about this..."

    or that he's reading digg (a public website) from within a SCIF
  • Pignanelli, on 10/12/2007, -0/+1USB Keys are the modern equivalent of floppy disks for public-access computers. SysAdmins, please consider carefully before implimenting this "improvement".
  • heeerrresjonny, on 10/12/2007, -0/+1you can probably disable usb boot if you want in the bios and then set a bios password...not very tricky at all...
  • Jams, on 10/12/2007, -1/+2Ive just tested a piece of software for use in my company called Sanctuary Device Control.

    So far it isn't looking good, there was a situation where the software would be pushed out to users and the user would go home ignoring the "reboot your pc message". The next day they would boot their machine at a client site, sanctuary would fail to download a policy from the server and resort to blocking all devices. Including all network devices barr the primary NIC.

    Other than that little issue it's a great piece of software; however it's not free.
  • Dimensio, on 10/12/2007, -0/+1Indeed. I fail to see how this is useful for "public" machines. I recently spent time locking down a lab full of computers to prevent users from saving data to nearly anything except USB drives. This seems more useful for private computers that store sensitive data, or display computers in computer stores.
  • targetOO, on 10/12/2007, -6/+7And what about them adding USB wifi/bluetooth and transferring the data to their laptop?

    My personal suggestion for anyone wanting to disable USB would be to open the box and unplug the cord (yes I know this will only work for the ones on the front) and putting supper glue in the ports.

    Superglue is actually quite useful in securing machines

    http://blogs.zdnet.com/threatchaos/?p=319
  • karamba_kid, on 10/12/2007, -0/+1didn't people steal data off machines before usb drives were so prevalent?
  • Trenton, on 10/12/2007, -0/+1Uh... This has been done before? Theres also other ways to stop people from deploying trojan horses, etc.

    Petronski, Don't forget "Delete" so when they put the drive in, it's erased, and formated.
  • skatingrox, on 10/12/2007, -0/+1That/s a PS/2 keylogger. I was under the impression that this article was about USB devices.
  • socoolisme, on 10/12/2007, -0/+1my schools computers are locked down enough i don't need another thing they can't do.
  • seansshack, on 10/12/2007, -0/+1nice one!!!!
  • dbr_onix, on 10/12/2007, -0/+1It's also assuming your boss is smart enough to bother even thinking of doing this..
    - Ben
  • 4Miles, on 10/12/2007, -0/+0It's interesting, but to remove all USB capability is not the way to go. We have a network with about 300 desktops in our company. To manage them we are using Desktop Authority. This tool has a USB/port security feature, so we can lock the use of portable storage media, pda, fdd, cd, serial/parallel ports and many more. With it's validation logic this can be set to any user or group much more easily than using group policy.
    Have a look to this tool at: http://www.scriptlogic.com/products/DesktopAuthority/
  • stevechan, on 10/12/2007, -0/+0I would like to recommend Lockdown Plus PC. It can lock down floppy, cd-rom, and removable mass storage like usb sticks easily. With Lockdown Plus PC, you can disable USB sticks or make it read-only without having other usb devices being affected.

    Unlike solutions by modifying registry settings, protection from this utility is quite robust. It is able to restrict administrators and even works under safe mode.

    To download, please access http://www.y0ys.com/exe/lockpcsetup.zip . For full features list, please visit http://y0ys.com/lockdown/features.htm .
  • ratrip, on 10/12/2007, -0/+0Cool that USB-printers are allowed! I can print my contraband and shuffle it between my "legit" stuff and just walk out of the building at 4:30 PM.

  • AntiMidas, on 10/12/2007, -0/+0I changed the registry and its cool after i reboot the machine. But if i reboot it again it will then resolve back to the default 3. Am I not doing something correctly?
  • Fetching more discussions...
    Show 51 - 73 of 73 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.