Protect flash drives from Autorun viruses.

For the time of day, dear habr-reader. I work at a university, in a computer lab. We administer about a hundred computers. We are faced with the problem of protection against Autorun – viruses on flash drives. Naturally, we have disabled autorun in Windows, but it was necessary to protect the flash drives themselves, so that an employee at home, inserting a working flash drive, would not infect his computer. Under the cut a solution to the problem.

Before you begin ...

Dear users, the following actions were performed in Microsoft Windows Xp, in other operating systems the process may differ from the above. I would also like to say that the author of the text is not responsible for the equipment damaged as a result of the following actions.
')

Training.

To implement our plans, we will need to format the flash drive in NTFS, for this there are several methods known to me. For me, the easiest is to use Acronis Disk Director .

After running Disk Director, you will see a list of disks connected to your system. In this list we find our flash drive, click the right mouse button and select "Delete partition", in the new window we leave everything as it is (there is no special difference there). Then again right click on our disk and select "Create partition". In the "Create Section" select:

• File system: NTFS .
• Create as: Main section .

Now click on the “Checkbox” icon and click “Proceed” in the window that appears. After the changes are made, restart the computer.

The flash drive can also be formatted in a simpler way, indicated by uv. maxshopen :

Start → Run → cmd →

convert f: / FS: NTFS <- this is if the data on the flash drive is needed and there is nowhere to save it

or

format f: / FS: NTFS <- if the data is nafik

Customization.

So, the card is ready to be configured, go to the flash drive and create a directory in the root directory that stores the data, I called it “DATA”. Right click on the new directory and go to the security tab, then click on the "Advanced" button. Here we remove the tick from the item “Allow inheritance of permissions from the parent object to this ...”, in the appeared dialog click “Copy”, then click “OK” in both windows. Now we will go to the “Security” section of the root directory of our carrier and configure permissions as follows:

In the column “Allow”, we leave the following items checked:

• Reading and execution
• Folder Contents List
• Reading

In the column "Prohibit" put a tick in front of the item "Record" in the dialog that appears, click "Yes."



Everything, as a result we receive a flash card on which Autorun cannot register. For this, we sacrifice a small share of performance, the ability to write to the root directory of the media and, of course, the inability to use the "Send" menu to copy data to media.

Possible problems and their solution.

1. After formatting the drive in NTFS, it is not visible in the system.

   
   Right click on "My Computer", select "Management", in the window that appears, go to "Disk Management", then click on our flash drive with the right button and select "Change drive letter or disk path." Choose a letter, click "OK".
   

Unfortunately or fortunately, no more problems have been found by me, if you suddenly find one - write, try to solve.

Disable autorun.

In addition to XP Home Edition:
start-up - run - gpedit.msc - configuration of the computer - administrative templates - System - disable autorun (select where to disable). Next, apply the new policy with the gpupdate command in the console.

In Home , the Group Policy Management snap-in is missing, but the same effect can be achieved by manually editing the registry:
1) Start -> Run -> Regedit
2) open the HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies branch
3) Create a new section
4) Rename the created partition in Explorer
5) In this section create the key NoDriveTypeAutoRun

Valid key values ​​are:
0x1 - disable autorun on unknown drive types
0x4 - disable autorun of removable devices
0x8 - disable non-essential devices autostart
0x10 - disable autorun of network drives
0x20 - disable autorun CD-drives
0x40 - disable autorun RAM-disks
0x80 - disable autorun on unknown drive types
0xFF - disable autorun in general of all disks.

Values ​​can be combined by summing their numeric values.

Default values:
0x95 - Windows 2000 and 2003 (autorun of removable, network and unknown drives is disabled)
0x91 - Windows XP (autorun of network and unknown drives is disabled)
Comment: by default, XP Home does not have this key (like the Explorer section itself), so the process of its creation is described above. For other versions, it is not necessary to create it, it is already there, just correct it.

Useful to browse the Microsoft Resource Kit website.