Executive Summary:
| Removable storage devices present Windows security concerns, including malware infection, illicit software installation, and data theft. Microsoft Windows Vista integrates Group Policy–based support for restricting use of removable storage devices. You can implement similar functionality on downlevel systems such as Windows Server 2003, Windows XP, and Windows 2000. |
Removable storage devices have always presented security concerns for Windows administrators. Local high-speed storage devices increase the risk of malware infection, illicit software installation, and data theft—yet Windows OSs traditionally didn’t provide a way to control these devices. With the release of Windows Vista, Microsoft has finally integrated Group Policy–based support for restricting access to removable storage devices. In this article I briefly discuss using this new feature on Vista; then, I explain how to implement similar functionality on downlevel systems such as Windows Server 2003, Windows XP, and Windows 2000.
Vista’s Removable Storage Access Policies
On Vista, removable storage control is directly accessible in Group Policy Editor (GPE—i.e., gpedit.msc). You can configure this access system-wide or on a per-user basis. The system policies are located in \Computer Configuration\Administrative Templates\System\Removable Storage Access. The per-user settings are in the analogous location \User Configuration\Administrative Templates\System\Removable Storage Access.
For policy purposes, Vista separates removable storage into six categories: CD and DVD Drives, Floppy Drives, Tape Drives, Removable Disks, WPD Devices, and Custom Classes. The CD and DVD Drives policy affects all directly connected optical drives, including CD, DVD, HD-DVD, and Blu-Ray. Floppy Drives refers to all standard floppy disk drives, even those connected via USB. Tape Drives are all linear-access tape devices. Removable Disks refers to both hard drives and flash memory connected by either USB or FireWire. The cryptic (and redundant) name WPD Devices refers to Windows portable devices (WPDs). Finally, Custom Classes refers to removable devices that use a customized access driver.
Distinct read and write access controls exist for each category of removable storage. If your primary concern is preventing users from removing data but you want to allow easy access to portable media, you can deny write access only. If you allow removable media use for archiving but want to deter users from installing illicit software or infecting machines with viruses or malware, you can deny read access only.
Two additional storage access settings exist that don't directly fall into Vista’s six categories. The policy setting called All Removable Storage classes: Deny all access (which is available only under \User Configuration\Administrative Templates\System\Removable Storage Access, as Figure 1 shows) takes precedence over any other policy settings and prevents storage access machine-wide or on a per-user basis depending on where the policy is configured. The policy setting called All Removable Storage: Allow direct access, which is available only under \Computer Configuration\Administrative Templates\System\Removable Storage Access, controls storage access in remote sessions. Enabling this setting lets users who are logged on via Terminal Services directly access removable media.
Finally, a setting that’s available under both the \Computer Configuration and \User Configuration branches lets you set a forced reboot time. This setting is useful because unlike many Group Policy settings, removable storage control requires reconfiguring some drivers that might be in use. Although the setting description implies that a reboot will be forced after the time expired, this isn't necessarily true. A reboot is forced only if Vista can't enforce the policy without the reboot. In cases such as restricting access to WPDs when no such device is active, Vista can immediately apply the policy.
An invaluable reference for learning more about how Vista supports policy-based device control is Microsoft’s “Step-By-Step Guide to Controlling Device Installation and Usage with Group Policy” (http://www.microsoft.com/technet/windowsvista/library/9fe5bf05-a4a9-44e2-a0c3-b4b4eaaa37f3.mspx).
Restricting Removable Storage Access on Pre-Vista Systems
Configuring Vista's removable storage access is easy and convenient, but it's unlikely that you'll upgrade your entire network to Vista solely for this benefit. You can configure similar policies for earlier systems, although you don't have the same range of options. On pre-Vista systems, controlling removable storage access is a matter of restricting driver use. You can't apply granular per-user security to a subsystem, but you can definitely control whether the subsystem is accessible if it uses distinct drivers. This means you have to accept an all-or-nothing approach. Either no one on a system can use a resource such as optical drives, or everyone can.
The Microsoft article “HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers” (http://support.microsoft.com/kb/555324) explains how to use a Group Policy template on earlier Windows systems to disable device drivers. The article includes the complete content for a custom administrative template. If you want to use the documented technique, keep in mind that it’s a legacy policy that tattoos the registry. You must explicitly load and unhide the policy in GPE. In addition, simply removing the template doesn’t reverse the system changes; you must use the template to reset each removable storage device’s setting type from disabled back to enabled.
You can actually control these settings directly on particular systems. The template simply disables the specific driver used for each storage device type. Service startup for device drivers is controlled from the same registry location as are regular services—HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services. Each driver has its own subkey: cdrom for CD and DVD drives; flpydisk for traditional 3.5" floppy disks; sfloppy for LS-120 drives; and usbstor for USB storage devices. Each of these subkeys has a DWORD value named Start, which is set to one of the values shown in Table 1. The typical value for these removable storage devices is 3, which causes the Service Control Manager (SCM) to start them only when they’re needed. The CD/DVD driver value is an exception; it’s set to 1 for startup during system initialization. To disable a driver, set the Start value to 4 for disabled, then reboot the system.
Possibly the quickest way to uniformly change the settings is to import a .reg file with the desired settings. DisableRemovableStorage.reg, which Listing 1 contains, and EnableRemovableStorage.reg, which Listing 2 contains, let you quickly accomplish this task. If you need to run these files automatically, you can use a command such as the following:
regedit /s /i DisableRemovableStorage.reg
You can use EnableRemovableStorage.reg to reverse the changes made by DisableRemovableStorage.reg, as well as to reverse the effects of a Group Policy template (such as the one mentioned earlier), if the template has been removed and deleted before reversing the changes.
Disable Drivers to Secure Systems
Disabling a driver by setting its service startup value to disabled is an easy way to lock out specific functionality. A computer's parallel port, for example, can be disabled by navigating to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\parport and setting the Start value to 4. However, if you plan to use this method, be sure to export registry subkeys before you edit them, and always test your changes before deploying them. If you then disable a driver that prevents system boot, you'll know immediately—and will be able to revert to the last known good configuration. Disabling the wrong start-on-demand driver can cause subtle problems that you might not see immediately. Still, disabling drivers is a useful way to implement your own controls over storage access and even lets you apply restrictions on custom drivers used by specialty hardware.