(imported topic written by ivynash)
I would like to make USB storage devices Read Only. Please help me out .
I have tried the followig registry entries and published the same for the clients for system with Win XP SP2, but still the USB storage is not changed to Read Only.
*HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control \StorageDevicePolicies\WriteProtect
(imported comment written by BenKus)
Hi ivynash,
Can you give us a link to some more information about how to perform this operation in Windows?
I am not sure if you have a problem with the relevance, action, or if there is a weird Windows behavior. Have you been able to set the registry key manually and see it working?
Ben
(imported comment written by ivynash)
Hi Ben,
I have tried it doing manually also, but its not working. As per Microsoft webiste it is possible with Windows XP SP2. You can find the Technote in the following link: http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2otech.mspx
I just wanted to know how to make a USB storage device read only using the task or fixlet available from BigFix. I also tried using “Removal Media: Disable future use of USB storage device” task and changing the value of Usbstor to 00000001 from 00000004 so that it will disable write option, but it also did not work. Please help me to make USB storage device as read only.
ivynash
(imported comment written by brolly3391)
Hello ivynash,
I just tested the information from the technote that you sent from Microsoft and it worked for me on my Windows XP SP2 machine.
Make sure that “WriteProtect” is a dword value set to 1 under the key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies”. It looks like you might have set a key called “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect”
Informal testing showed me that this key and value don’t do anything unless they already exist when the USB drive is inserted. For your testing, try setting the key manually and then remove and reinsert your USB drive. Once the setting has been created, any future USB drives that are inserted will also be constrained by the setting.
I have attached some sample fixlets to turn the setting on and off.
This is a really exciting find as more than one admin has been fretting about information leakage through USB drives.
These fixlets should be considered untested and you should test them thoroughly before using them in your production environment.
Cheers,
Brolly
(imported comment written by BenKus)
This is probably a good time to note that there are all sorts of wonderful Fixlets/Tasks like this in our “Security Policy Manager” site. You can disable USB devices, wireless devices, CD ROMs, Floppies, and so on. You can also check for weak passwords in Windows, you can run audits of your security settings for Windows, IIS, or SQL Server, you can change your email/browser settings, detect Instant message software, and much more…
Contact your sales representative for more information if you don’t have this site and you are interested in it.
Ben
(imported comment written by ivynash)
Thanks a lot for the info…
(imported comment written by ivynash)
Has anyone checked this on Windows Vista OS ???
(imported comment written by BenKus)
Hi Ivy,
We will check this out and let you know what we find. Did you have any experiences that showed that it worked or didn’t work?
Ben
(imported comment written by ivynash)
Hi Ben,
I have not checked this. This query is from one of our customer, they are migrating all Windows XP machines to MS Vista so I just wanted to confirm the same.
Regards,
Ivy