AllExperts > PC hardware--CPU & Motherboard & RAM 
Search      
PC hardware--CPU & Motherboard & RAM
Volunteer
Answers to thousands of questions
 Home · More PC hardware--CPU & Motherboard & RAM Questions · Answer Library  · Encyclopedia ·
More PC hardware--CPU & Motherboard & RAM Answers
Question Library

Ask a question about PC hardware--CPU & Motherboard & RAM
Volunteer
Experts of the Month
Expert Login

Awards

About Us
Tell friends
Link to Us
Disclaimer

 
 
 
 
About Mike
Expertise
Areas of expertise: PC Hardware, Peripherals, Barcode Scanners, Printers, and Applications, Networking, Microsoft Applications. I am good at researching issues and have a lot of contacts in the IT industry. So, if I can't directly answer a question I can likely find the answer. Areas I won't be much help in: Apple Computers, Linux, older Networking technologies like Token Ring, or Thick/Thinnet.

Experience
I'm currently a Network Administrator for a contract circuit board manufacturer in Oregon, USA. I've been working on PCs from a hobby standpoint for better than 25 years. I've been doing it professionally for 4 years.

Education/Credentials
A+ Certification, Network + Certification, MCP, MCDST, MCSA (in process)

 
   

You are here:  Experts > Computing/Technology > Focus on PC Support > PC hardware--CPU & Motherboard & RAM > Disabling USB Storage Device

PC hardware--CPU & Motherboard & RAM - Disabling USB Storage Device

Expert: Mike - 11/1/2009

Question
Hi Mike! I am an Information System Auditor. Due to the spreading of computer viruses through the use of USB storage devices, my company has recently forbade the use of USB storage device. The use of USB storage device is still allowed in some instances but is limited to the following circumstances.
a) only a selected few terminals could use USB storage device.
b) only authorized USB storage devices could be use at these terminals. Personal USB storage devices are not allowed.

I learnt from the IT Division staff that they implement the above restriction on terminals which are not joined to the Active Directory domain by performing the following

a) deleting the usbstor.inf and usbstor.pnf files.
b) using a freeware called usbdeview.exe and disabled all USB storage devices which have been used at the terminals before, except those authorized by the company.

c)pluggin in the authorized USB storage device to the USB ports of the selected terminals and let the installation run. Hence, only the authorized USB storage device is recognized by the terminal. Other USB storage devices would no longer be recognized and cannot be used.

I would like to know how effective this method is in achieving the desired effect, without affecting the performance and security/stability of the system. Also, I would really appreciate if you could point me to some websites (reputable sources such as websites from Microsoft would be a plus) which could give me some additional information on this. I tried looking through the net and the more I look, the more I am confused as the explanation given does not specifically address my scenario and there are some very technical jargons which I believe only people specialising in Windows Operating System could understand well.

Thank you and looking forward to hear from you.  

Answer
I'm not familiar with that application but it looks like a pretty interesting program. The description doesn't seem to list any sort of security related options like that though. All I read is how it can identify USB devices that have been used on the specific computer.

I don't recommend delete any .inf or .pnf files because there's no real way to know if that will hurt the operating system function. A better option than deleting those two options is to go into the file properties and the Security settings. Then remove the generic Users and Administrators entry in Security and add the specific individual's accounts who are authorized to use USB devices.
Neither of these are all that 'approved' so there really isn't going to be any reputable sources discussing their usage.
A better, more reputable option would be to purchase software designed specifically for that, such as Network USB Sentry.

http://www.freedownloadmanager.org/downloads/Network_USB_Sentry_61094_p/

I understand it would involve upgrading operating systems, but Windows 7 has a built in feature called BitLocker, which allows for advanced data encryption. Another feature is that you can use BitLocker on USB thumb drives to not only encrypt them, but to completely control who is allowed to use them, and on which computers. It essentially does exactly what you are describing without modifying or deleting any system files.
There are many sites online about Bitlocker but here's just a couple to read on:

http://thepcsecurity.com/encrypt-usb-flash-drive-data-bitlocker/

http://101-computer-troubleshooting.blogspot.com/2009/09/use-bitlocker-drive-enc...

I have another IT contact who works for HP that is going to send me some information on how he has controlled USB thumb drive usage so when I get that information from him I will send you a follow-up with it.

If you happen to use Twitter, I am on as @mikerigsby. You can feel free to add me and I can provide more information or future assistance that way. I always like making more contacts in the IT industry.

Add to this Answer   Ask a Question


 
User Agreement | Privacy Policy | Kids' Privacy Policy | Help
Copyright  © 2008 About, Inc. AllExperts, AllExperts.com, and About.com are registered trademarks of About, Inc. All rights reserved.