How to enforce a read-only policy
USB drives undoubtedly represent a major security risk. They are cheap, they can hold an extremely large volume of data and they make it extremely easy for employees to remove sensitive data from the company premises - without your knowledge.
In his article USB Flash Drive Security, Jake Shores described how the use of USB drives can be completely disabled. In instances where employees have no valid business use for USB drives whatsoever, disabling them completely is undoubtedly the best option. But what if you want to disable copying to - but not copying from - USB drives? Windows Vista provides you with an option to do just that.
How to enforce a read-only policy:
- Click on the Start button, type regedit into the Search box and hit Enter.
- In the Registry Editor, drill to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control.
- Right-click on Control, select New > Key and name it StorageDevicePolicies.
- Right-click on the new StorageDevicePolicies key, select New > DWORD and name it WriteProtect.
- Right-click on the new WriteProtect DWORD, select Modify, enter 1 into the Value Data field and click Ok.
Writing to USB drives has now been completely disabled on that computer - users will, however, continue to be able to read from their USB drives.
USB drives as a malware vector
Note that potential data loss is not the only business risk associated with USB drives; they can also be used as a vector to (intentionally or unintentionally) introduce malware into the corporate network - in a manner that completely bypasses the majority of perimeter defence mechanisms. You should, therefore, only apply this policy if you specifically need to permit reading while blocking writing. Should your employees have no need to either read from or write to USB drives, the best option is to simply follow the steps outlined in Jake Shores’ article and block their use completely.