Securing the small business computer systems is no trivial task, as there is a wide variety of threats to defend against. The majority of the threats we hear about are the flashy ones, such as a denial-of-service attack (DoS attack) against Amazon or eBay or a disastrous new virus wreaking havoc. Ironically, the most devastating issues we actually face aren’t flashy at all. Most don’t even originate from an external source; they come from within.
Have you ever had employees use USB flash drives to transfer files from their home computer to their office PC only to infect a company PC, or worse yet, your entire network? Or maybe an employee installed a favorite application on the office machine without admin approval. Renegade software installations can create system instabilities or introduce security vulnerabilities to the network. Plus, any application installed on a company PC needs to be legally licensed to the company.
An even greater danger is someone removing company data without authorization. Let’s say an employee at a law firm copied a client’s case files onto a USB flash drive to work on them at home. Should that flash drive be lost, all of the client’s private information could be made public, and the company would be held liable.
In addition to USB flash drives, workstation CD/DVD burners can also be potentially problematic. Data can be burned to disc just as easily as it can be copied to a flash drive. Employees can even use these drives to create duplicates of company-owned software.
You can minimize these risks by simply preventing employees from accessing the CD/DVD-ROM drive or from using USB flash drives on their workstations. Larger companies with dedicated IT departments typically use Windows Group Policy Editor to disable these devices. Group Policies are a great approach when you’re dealing with hundreds of PCs, but for small business owners with only a handful of systems to manage and limited technical expertise, a more straightforward approach is available.
Welcome to Windows Registry
By making a simple modification to the Windows Registry, you can easily prevent people from accessing the computer’s CD/DVD-ROM drive, or connecting a USB flash drive. Even if the employees have administrator rights to their local PCs, they won’t be able to re-enable these devices using Window’s Device Manager. They can only be re-enabled via Windows Registry.
Best of all, disabling the USB Flash drive in this fashion will not prevent other USB devices like USB keyboards and mice from working. This modification should work with most versions of Windows and will affect any person who logs into this system.
To modify the Registry we need to launch the Registry Editor. To do this just click on the Start button, type REGEDIT and press Enter. You should now be looking at the Registry, which is laid out like Windows Explorer with a left and right pane view. The left pane shows you Hives, similar to folders, while the right side shows you Keys and their Values, similar to files. To make any modifications to the Registry you’ll need to have administrative rights to the local PC.
Windows Registry is basically a centralized database that stores and manages all of the configuration settings for all the hardware, software, users and preferences for the PC. Think of it as the DNA of Windows. The Registry is VERY IMPORTANT to the proper functioning of Windows, and modifications to it could result in Windows becoming unstable or unusable. Therefore, we’ll create a Registry backup before we continue, just to be safe.
Click on the Computer at the top of the left pane. Now on the Menu bar, click FileExport… and select a location to save the Registry to. Give it a name and press Save. The Registry will now be exported, and we’re ready to proceed. Should you need to restore the Registry, simply select FileImport…, and navigate to the file you exported. Select it and press Open to begin the Registry restoration.
Disable the USB Flash Drive
To Disable the USB flash drive, move to the left pane of the Registry and expand the Hives in this order:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices and select USBSTOR
Now, look in the right pane and you should see a Key labeled Start. Double-click it and a window will open. Change the Value Data to 4 to disable the flash drive. Click OK, close the Registry and reboot the computer for the changes to take effect.
To re-enable the USB Flash Drive, change the value to 3.
To Disable the CD/DVD-ROM drive, follow the same steps as before. However, instead of selecting the USBSTOR Hive, you’re going to select the CDROM Hive. Like before, double-click on the Start key and change the Value Data to 4 to disable the CD/DVD-ROM and 3 to re-enable it.
While disabling these devices will stop users from installing applications and removing data using physical media, users will still be able to circumvent these restrictions by using online services and downloadable applications. This is just a first step.
For true protection, you need to add stronger security measures. Make sure employee user accounts have the appropriate rights to access only the data they need. If they need to access files over the weekend, setup a remote desktop or VPN solution. To prevent data from being uploaded to online storage services, look into a proxy server.Remember, there is no single, all encompassing security solution. Security works best when it’s implemented in layers. The more you have, the safer you are.
Ronald Pacchiano is a contributing writer for SmallBusinessComputing.com.
Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!