Friday, 30 March 2012

To Disable USB Ports To Prevent Malware Infection


A Reader writes in:
My PC is being shared by my roomies – they mainly use it for watching films – virus threats from USB is paramount. I have no issue with CD drives. But USB’s are a no-no. So its really important that I do this (block or lockdown USB ports).
There are plenty of ways to disable usb ports and you don’t need any special software.

Disable USB Ports By Disabling Autorun

Most of the malware that spreads through USB devices spreads because of the Autorunfeature which automatically executes a said file mentioned in the autorun.inf file located at the root of the USB device folder tree. Something as unsuspicious as “Open folder to view files” to the untrained eye can be easily made to run any desired file on the drive and can thus infect your computer. So disabling autorun is always one of the better options. To do so:
  • First, the key combination Win + R and type Gpedit.msc
  • Navigate to Computer Configuration > Administrative Templates > Windows Components, then click Autoplay Policies. (XP users should try Computer Configuration > Administrative Templates > System
  • In the Details pane, double-click Turn off Autoplay.
  • Click Enabled, select All drives in the Turn off Autoplay box to disable Autorun on all drives.
Microsoft Help and Support has more details and methods

Option 1. Disable users from connecting USB devices

You can prevent selected user accounts from connecting USB devices to your computer. So if you share your laptop/computer with a friend, you should create a separate user account and deny his/her account the ability to connect USB devices. Microsoft Help and Support provides steps to obtain such fine grain control.
Or you can simply navigate toHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor and set the value of Start to 4. To enable access again change the value back to 3
Although the site mentions that this applies to Windows XP, 2000 and 2003 it worked just fine on Windows Vista and Windows 7 as well.

Option 2. Change BIOS, disable USB ports, password protect BIOS

Enter your system’s BIOS, just when you press the Power On button. Look for anything that allows you to disable USB ports, disable them and make sure you add a BIOS password.

Option 3. User Device Manager to disable USB

  • Go to Device Manager (Right click My Computer, choose Manage, choose Device Manager in left pane)
  • Now look for USB Devices in the right pane, right click on the device and choosedisable.
Of course you would like to make it a little easier to enable/disable the USB ports. For that you need to create a reg file that modifies the appropriate registry key. Here is an example (make sure to spell everything correctly):
Now double clicking on this file will enable access, similarly you can change 00000003 to 00000004 to create a reg file for disabling access.
None of these are fool proof, there is always someone smart enough to find a way around. If you really want to go all the way you can fill the ports with some epoxy or a similar substance! This is of course not a recommended solution for your personal computer but might come in handy for large organizations trying to prevent employees from using USB devices.
All in all the options are good enough to stop accidental, non intentional spread of malware/compromise of your computer as mostly happens when a USB device is plugged into different computers. However don’t bet your life on these if some one is really determined to use a USB device on your computer for whatever reason.
How do you protect your computer from malware spread via USB drives?

No comments:

Post a Comment

Note: only a member of this blog may post a comment.