views:

440

answers:

4

On Windows, is there any way to programatically approve a USB device after insertion, if it is of a certain type (say Removable Drive) allow its use, otherwise not? Also not to allow running of drivers, only allow usage of the device in an approved way?

I.E. We want to allow the insertion of USB drives, but not have to worry about virus's being installed.

EDIT Sorry, I wasn't very clear on the posting of this question. Yes this is Windows, but I am not worried about auto-run programs, that is of course turned off. Users will not be able to access any executables, just data will be read off of the drive. They will not have access to any UI other than what we allow (it's a Kiosk). What I am concerned about is device drivers running and installing software (ala U3, and other USB software that installs itself when you insert a USB drive). There are a bunch of virus's in the wild that can be run just by inserting a USB drive into a system. We have restricted things with group-policy to the level that we can, but I can't find a way to not allow the installation of drivers without creating a base whitelist of USB drives that come pre-installed and nothing else would work (ie. Do not allow installation of drivers).

+1  A: 

No. You can restrict access to removable media using GPO, but you can't specify what kind of files are allowed on the removable media or if they can execute or not.

EDIT: upvoting thomas. better answer than mine.

Jeremy
http://www.windowsdevcenter.com/pub/a/windows/2005/11/15/disabling-usb-storage-with-group-policy.html
Xenph Yan
+5  A: 

(Since you're worried about viruses I'll assume that we're talking about Windows.)

There is no point in restricting the user like that. Make sure the user does not have Administrator privileges. And install an up-to-date virus scanner.

Rationale: If you're not going to permit even reading files, then allowing a USB drive would be useless anyway. So you are going to permit reading files from a USB drive. But then someone could already install a virus by copying it to the local hard drive and run it from there.

Thomas
+2  A: 

Also, on Windows, disable Autoplay/Autorun on the USB drives.

With Group Policy: http://www.howtogeek.com/howto/windows/disable-autoplay-of-audio-cds-and-usb-drives/

There are also options in the TweakUI utility: http://www.microsoft.com/windowsxp/Downloads/powertoys/Xppowertoys.mspx

Kris Kumler
+1  A: 

If it's your own kiosk application, make sure your kiosk has drive letters A-Z assigned. To access the USB drive, you'll need a path of the form \??\Volume{GUID}\Filename. But by keeping it out of the normal file system, you're safe against most attacks.

You're never entirely safe. As Raymond Chen would points, it doesn't help a lot if you disapprove forks. The (physical) damage is already done.

MSalters