Open a backdoor for your USB flash drive"

Open a backdoor for your USB flash drive"

Text/figure: Pete

In the previous article "Vista security first, completely disable USB", we talked about how to disable a USB device in the Vista system. After the configuration is performed according to that method, the system treats all removable storage devices equally ". However, this setting is inconvenient, because it cannot be used if you have a mobile storage device. So how can we allow the system to use only one USB device? In the Vista system, the "Group Policy" contains a project restricted by the "hardware ID". The hardware IDs of different USB devices are different, just like ID cards, we can use the "hardware ID" to make the USB flash drive available. Other USB flash drives cannot be used.

1. Obtain the hardware ID

Step 1 insert our USB flash drive into the system and confirm that the system has correctly recognized the USB flash drive and can be used properly. Go to the control panel and double-click the Device Manager ".

Step 2 in "Device Manager", expand the "portable devices" list to find your USB flash drive name. Right-click the USB flash drive name and choose Properties ".

Step 3 switch to the "details" tab in the "properties" panel, and select "hardware ID" in the "properties" drop-down box of the device ", in this case, a string consisting of letters, numbers, and special characters is displayed in the value column. This is the hardware ID of the USB flash drive.

Step 3 Right-click the hardware ID and select copy to copy the hardware ID to the clipboard (1 ).

Tip: The general hardware ID starts with "gendisk, USBCOMPOSITE, USBClass_ff". If your hardware ID contains multiple strings, the string starting with this form should be preferred.

Figure 1 copy hardware ID 252651

The hardware ID of the USB flash drive is not enough. We also need to copy the hardware ID in "Universal Serial Bus Controller. In the Device Manager, expand the general serial bus controller list and find the corresponding device. For example, the USB flash drive corresponds to the USB large capacity storage device ". Of course, this is not absolute. For example, digital cameras and other devices with storage functions may also correspond to "USB large-capacity storage devices". Therefore, if you cannot properly limit the value after setting, you can obtain the hardware ID of another device and try again (figure 2 ).

Figure 2. Find the device

2. Set by hardware ID

Step 1 go to "Group Policy" and expand "Computer Configuration"> "management template"> "system"> "device installation"> "device installation restrictions ".

Step 2 double-click "Allow installation of devices that match the following device IDs" and add your own USB flash drive hardware ID (3 ).

Figure 3. add your own USB flash drive ID

In this way, only our USB flash drives can be used in the system, and other USB flash drives will flash. When someone inserts another USB flash drive into the system, the system will prompt "installing the device driver software". After a while, the system will pop up "installation is forbidden by policy ", this indicates that the USB flash drive has been successfully disabled (4 ).

Figure 4 installation prohibited by policy 252652

Set a rejection prompt

In this way, if the USB flash drive of another user is prohibited from connecting to the system, after inserting the USB flash drive, the result is simply a simple message: "the installation is forbidden by the policy ", I believe few people know what this is about. To prevent others from cracking their computers so hard to connect to the system after countless attempts, let's give them a small tip.

Step 1 is also in "device installation restrictions", double-click to open "display custom information (balloon title) when the policy blocks installation )".

Step 2 select "enabled" in "Settings", and enter the text you want to see in "Enter the text you want the user to see", for example, enter "Haha, see how you can use it! ".

In this way, when someone inserts a USB flash drive into the system, it will no longer be a dry saying "installation is forbidden by policy". What we see is what we set: "Haha, see how you can use it!" (5 ). Although it is just a simple joke, it is enough to let others know that this USB flash drive is forbidden.

Figure 5 pop-up message 252653

Finally, do not provide the Administrator account to others, because anyone with the Administrator permission can reset the "Group Policy" to cancel the restriction, that is to say, the previous effort is hard work. Therefore, to implement such restrictions on removable storage devices, the premise is that only one "user" account is assigned to others.