Working in Computer Security, one of the biggest threats we face today is the threat of an Insider, an Employee who might casually walk in with his 4 GB USB Flash drive, plug it in to their computer within the corporate network and walk away with valuable data. I have seen solutions ranging from expensive Intrusion Prevention Systems to disabling access to the USB drive all together.
In the first scenario, a company might not have enough financial resources for such an expensive IPS solution. The second scenario is impossible to implement in a corporation, think about the external USB keyboards, mouse or a LCD screen.
Prevent a user from writing to a USB drive
In this scenario, let us think that a corporation has migrated to Windows Vista from Windows XP. It does not wish to use an expensive solution but at the same time lock down users from having access to the WRITE capability with regard to a USB device.
1. Open Notepad and copy the following
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“EncryptionContextMenu”=dword:00000001
2. Save the file as USBNoWrite_Vista.reg
3. If you double click the file(and using Vista you will see the UAC prompt. Click Continue) click Yes to the confirmation box that appears.
4. Restart the computer for this setting to take affect
Now, the next time someone tries to send files to a USB drive, they will see a message saying
” The Disk is write-proteced.
Remove the write-protection or use another disk
Note: System Administrators can also configure this setting to use Group Policy. So block of all USB writing permission to say a group of employees.