Allow only specific USB drives in Windows

The problem is this: we have given the flash media. To computers (running Windows starting with XP) are not allowed to insert unauthorized devices.

Actually, the question is: how to prohibit to use them?

The situation is complicated by the fact that the organization does not have a common network, that is, group policy, DeviceLock and other work only until such time as you will need to add another device to all the computers (And, for a moment, a few thousand).
Is there any solution, for example, a file with the serial number, signed by the key on a hidden partition of your pendrive, which AT understand mount or not?
October 3rd 19 at 02:28
7 answers
October 3rd 19 at 02:30
Several thousands of computers without a single network, but with the need for centralized control — that's called hell.
October 3rd 19 at 02:32
You can do clean Windows, but from experience I can say that sometimes causes random problems in the system.
In the registry branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR that stores information about the installed USB drives, cleaning the branch, stick the right flash drive, give install them, and then select the user rights on this thread, after that Windows just can't install a new ROM.
Also in the system folder there is a file responsible for something like that, it is also necessary to trim right after the installation of %\WINDOWS\Inf, usbstor.inf and usbstor.pnf.
To clarify, take away the rights of have all to the entry, and SYSTEM - burley_Daniel commented on October 3rd 19 at 02:35
October 3rd 19 at 02:34
I don't think it is. Because the idea is pretty meaningless. That hinders to carry out the official media information?
I think they have a registered media are withdrawn at the exit and have the dialer (if the stem through the frame squeak). - burley_Daniel commented on October 3rd 19 at 02:37
No, a transparent sealed envelope with the carriers for rent at the exit, checked each of the registry. Paranoid security, itit. - Mara_Grant commented on October 3rd 19 at 02:40
You know that really is just impossible? Without centralized control even really admin rights to users not to select. - loren_Schmeler commented on October 3rd 19 at 02:43
October 3rd 19 at 02:36
Do you have a policy: "allow everything except... "?
By the way, the monitor photographing — prohibited or you can print out what is necessary (binaries — mail in mime-format)?
October 3rd 19 at 02:38
It is technically possible to write a service which hangs in Windows and checks the serial numbers of the USB stick. If the number is not registered then disables them.
1. How to update the list of allowed serial numbers?
2. Weak protection. By using the service utilities can be assigned any drive keygen. - burley_Daniel commented on October 3rd 19 at 02:41
1. Hang in an Internet database and check the POST request
2. To check not only the number, but the date of the assignment. At least - Mara_Grant commented on October 3rd 19 at 02:44
1. Under the terms of the network task no.
2. Yes, you need to check many different characteristics: VID/PID, serial number, volume, section, parameters, FCS, etc. - loren_Schmeler commented on October 3rd 19 at 02:47
1. For this task there is no common network. This does not mean that it is not at all? Or so it is?
2. About that speech. Without a unified data warehouse, You still can not do. - giles_Lesch commented on October 3rd 19 at 02:50
1. Networking between computers is not at all. Each machine by itself.
2. Well... can we sew in either a hidden partition or in the MBR instead of the boot record some identifier tied to the hardware flash. Preferably, the signed key. If there is one and the same, then allow access. If not, disable. - Marc commented on October 3rd 19 at 02:53
What is a POST request if the network is not?
Well, create your encrypted file on the flash drive opening which is service checks its validity and the key, and the key enters the size of the flash drive and its keygen well and salt of some sort (you can still come up with something.
By the way, there is a flash where the serial number has not been overridden utilities.

I'd bought a flash drive with a built-in hardware encryption and an external API for each user would have brought my flash drive with a password, I would write a service for Windows that, when connected, stupidly trying to log onto this flash drive on the key, and if an exception occurs, the flash drive is not encrypted or the key is not that you immediately disable the device. And the password would 2 piece that is specific to the user (e.g. Account ID in the system) and the second part is specific to organization (salt)), which would have complicated the possibility of unauthorized access.
But the absolute protection to be difficult (and expensive), only to complicate the access procedure. If the user will stand the debugger to break such protection is not difficult.
In short if you are ready to spend look for a hardware solution, there are a great many. And if you do not ready anything serious You will not succeed. I do not know what standard builds security in Your office but the usb port in my computer already says that she is not high. In normal offices the computers are in safes with alarm and access to all ports and hardware part no. The reproduction data is centralized responsible person and under the signature. - Reba19 commented on October 3rd 19 at 02:56
here is the link to the topic - Marc commented on October 3rd 19 at 02:59
October 3rd 19 at 02:40
A somewhat simpler option is available out of the box, but requires Windows 7 or Windows Server 2008:
1. EN.Wiki
2. En.Wiki
3. The article
October 3rd 19 at 02:42
GFI EndPointSecurity


More functional products, at the same time backed up by "paper":

Secret Net
There is a "security Server" for centralized management of workstations.

Dallas Lock
The claimed "Remote administration jobs."

Find more questions by tags Jurisprudence in ITInformation security