Get started Bring yourself up to speed with our introductory content.

Removable storage

Controlling access to removable storage, such as USB devices, will help make your network environment more secure. This excerpt from The Definitive Guide to Securing Windows in the Enterprise offers some third party tools for locking down these external, removable storage options.

The Definitive Guide to Securing Windows in the Enterprise The following excerpt series from Chapter 2 of the free eBook "The Definitive Guide to Securing Windows in the Enterprise" (Realtimepublishers) is written by Don Jones. To obtain all eBook chapters from this guide, go to

Removable storage

Organizations have long sought to lock down removable media, a key means of introducing unwanted software into the environment and for removing confidential information from the environment. In the past, organizations might order computers without floppy drives or might restrict the use of optical media burners. However, removable media today is ubiquitous, with FireWire/IEEE1394 and USB devices making it easier for users to take data in and out of the environment without notice. Third-party tools currently provide the only reliable means of locking down these external, removable storage options.

Why bother locking down USB flash drives, for example? Because most removable media support only the FAT, FAT32, or CDFS file systems, none of which support security permissions. Thus, removable media not only represents an opportunity to introduce unwanted software and to remove confidential data but also ensures that any data removed from the environment will be completely unsecured. Although some removable media offers security options such as encryption, there is no centralized means of enforcing the use of such features, making it less likely that users will do so.

SecureWave Sanctuary is designed for device access control. Devices are categorized -- digital cameras (which have onboard storage), optical burners, smart card readers, flash drives, and so forth -- and, by default, disabled. You can "white list" allowed devices, such as scanners or modems, and leave all other devices disabled. Users are unable to install the devices under Windows, meaning they are unable to use disallowed devices to bring data in or out of the environment. Device access can be granted on a temporary, per-user basis if necessary. You can even allow optical drives to function, but provide a list of allowable media, ensuring that users can run authorized software but not introduce new software into the environment.

Another similar package is GFiLANguard Portable Storage Control (PSC), which focuses exclusively on portable storage such as USB flash drives. It addresses almost all forms of portable storage, including flash drives, MP3 players and smartphones, digital cameras, CDs, floppies, and so forth. As Figure 2.15 shows, device permissions can be mapped to AD groups, helping to minimize security management overhead. For example, you might create groups that represent allowed devices, then simply add users to the groups on an as-needed

Figure 2.15: Restricting access to devices.

Don't forget all the ways in which data can leave a computer or enter it. Your network is one obvious way, but that's something you can control. Any portable device with memory -- such as a digital camera -- is a possibility. Also keep in mind Bluetooth- and infrared-accessible devices, such as PDAs and smart phones, and be sure to control them appropriately.

Controlling access to removable storage will help make your environment more secure by reducing the ways in which information can leave your network and reducing the ways in which unwanted software can enter your network.

Click for the next excerpt in this series: Local system permissions

Click for the book excerpt series or visit for the entire eBook, "The Definitive Guide to Securing Windows in the Enterprise."

Dig Deeper on Windows Server troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.