Inari Media

Home » Business » How to Protect your Business Data by Disabling USB Storage Devices

How to Protect your Business Data by Disabling USB Storage Devices

Enter your email address to subscribe to this blog



Note: this post is Windows-centric. Apologies to all Mac and Linux users, but I had to go with the majority on this one.

It doesn’t take a hack attack for your business to be facing a data breach and major security headache. One of the easiest ways for anyone to steal data from your company would be to copy files from your systems directly on to a portable storage device and walk out of the office with it. While you may have removed all CD and DVD drives, USB ports are still a point of vulnerability. Not only can they take information out, but they can also bring in viruses, trojans and spyware. Luckily, they can be disabled.

The most obvious solution to the problem is to disable USB devices in the Control Panel. This will work for any storage devices that have been used on the machine previously, but the AutoPlay function might kick in for any new machines, and is therefore easily bypassed. Score one for the data thieves. Not only that, but by disabling the USB ports on a machine wholesale, that also means that  USB keyboards, cameras and printers might also be disabled. All in all, this brute force approach is not necessarily the best one.

Another alternative is to  make storage drives read-only through the registry settings of a machine. This would not only allow for the use of a number of peripherals that also need a USB port, but would also mean that it would be impossible to write to any devices.  There is a down and dirty run-through of how to disable write access for storage devices that you can use, though this is only through the registry, and there is no guarantee that an enterprising miscreant will not find a way to get what they want.

The best solution I have seen when investigating this topic is to disable USB storage devices via a computer’s BIOS, before locking access to that realm via a password. At least if you do that, you know it will take a concerted effort to bypass the controls you have set. I don’t normally visit their pages, but About do have a helpful section on how to access your PC’s BIOS.

If you’ve been paying attention, you’ll have noticed that while all of these solutions are OK on a case by case basis, there is nothing said so far about implementing these security measures across a network. This isn’t because I have not found any, but because it does seem to be wholly dependent on the kind of network you are running. There was a page at the HP website that suggested the best course of action for different setups, but it has since been culled.

This is not to say that there is no way to implement blanket permissions, but it is entirely dependent on the server technology you are already running. I have stacks of information for all sorts of permutations of Linux, Apache and Windows Server systems, but listing them all here would take far too long. For a small business, tweaking each new machine may only take a couple of minutes; for larger organisations, however, there is a kick-ass Novell script that does everything needed with the minimum of fuss.

[Image by AdobeMac]



  1. nairobichronicle says:

    Even after blocking the use of USB sticks, what about emails and websites? I could send data to an anonymous Yahoo account then download the data from a cybercafe after work. Or I could open an account with a webhosting service and upload the files via HTTP or FTP. How do you beat that? But I guess the average computer user wouldn’t think of that :-)

  2. Stephanie Migot says:

    Network admins can control which sites employees are able to handle, and do the same with email addresses. In data-critical environments, networks are subject to a greater level of scrutiny, so any dodgy behaviour such as that you’ve highlighted would probably be flagged and queued for further examination.

    You’re correct in thinking that that determined employee would not just give up if USB access were disabled, but there are ways and means to make grabbing data as difficult as possible without actually banning people from using computers.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: