Solved: lock pen drive - not with registry

[night-fury]

Hi,

We have to give a few people, a USB drive which will act as key to boot the system encrypted with bitlocker. (USB is being used since the systems do not have TPM module).

Is there a way to lock the pen drive(s) so that nothing can be copied onto the drive (apart from already copied bitlocker key) not only in their system but any system they connect the pen drive to. I can disable write access in their systems via registry or symantec etc but they can always use it in some home system etc for other work. I want that taken care of.

Please guide.

 

[DaveBurnett]

You can buy USB sticks that have a physical lock/unlock switch on them so I would imagine that you could lock them and remove the switch.
I also think you can buy USB keys that need special equipment to write to them.

 

[night-fury]

I agree, but unfortuanately, my office already ordered the pen drives. Can't get the order changed. But thanks for getting back on this. I will keep looking for more options though.

 

[DaveBurnett]

I believe you can get tools to change the firmware in USB drives. I seem to remember that certain viruses make use of it.

 

[20_2_Many]

Maybe this can work for you?

After loading all you need on the USB flash drive

For each USB drive - run Command as Administrator.
At prompt enter DISKPART
At prompt enter LIST DISK
(Now Identify which disk is your USB Drive - Usually Disk 1)
At prompt enter At prompt enter SELECT DISK 1
At prompt enter ATTRIBUTES DISK SET READONLY

The USB flash drive is now a Read Only device

Not perfect - but it is something....

 

[night-fury]

Thanks 20_2_Many. Sounds kool. I will try this and let you know.

 

[DaveBurnett]

Be very careful with that.
If you accidentally choose your own hard drive you could be in trouble

 

[night-fury]

Be very careful with that.
If you accidentally choose your own hard drive you could be in trouble

very true

i was careful though. I did try with DISK PART but to no good. even though its says Disk attributes set successfully, I can still write to the pen drive. here is what I did.

C:\Windows\System32>diskpart

Microsoft DiskPart version 6.1.7601
Copyright (C) 1999-2008 Microsoft Corporation.
On computer: TEST-PC

DISKPART> list disk

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 3836 MB 0 B

DISKPART> select disk 1
Disk 1 is now the selected disk.

DISKPART> attribute DISK SET readonly
Disk attributes set successfully.

DISKPART> ATTRIBUTES DISK
Current Read-only State : Yes
Read-only : Yes
Boot Disk : No
Pagefile Disk : No
Hibernation File Disk : No
Crashdump Disk : No
Clustered Disk : No

 

[DaveBurnett]

I thought that would be the case. That trick will only work when the USB drive is emulating a hard drive (which is not the most common).
Most drives emulate superfloppy or zip drives or even just floppy drives.

Look for a utility called BOOTIT and if the device can be changed to allow that trick, that tool will do it.

 

[20_2_Many]

Sorry it did not work for you. I have never had it not work.
The only time it came close to not working was having an explorer window open, showing the system drives, when I ran the commands. The readonly attribute was set on the USB, but in that open explorer window I could still write to it. Closing and reopening explorer did read the attribute and it could not be written to.
If you need that attribute cleared, use ATTRIBUTES DISK CLEAR READONLY
Good luck

 

[night-fury]

Sorry it did not work for you. I have never had it not work.
The only time it came close to not working was having an explorer window open, showing the system drives, when I ran the commands. The readonly attribute was set on the USB, but in that open explorer window I could still write to it. Closing and reopening explorer did read the attribute and it could not be written to.
If you need that attribute cleared, use ATTRIBUTES DISK CLEAR READONLY
Good luck

You are absolutely right. This was the catch. I was checking in the same explorer windows. I closed it and opened a fresh window but still could not write. However, then I removed the pen drive and reinserted. This did the trick. It became read only. Even the 'New' option in right click menu (for creating new files like notepad, word, excel) also disappeared !!

Thanks for your help. Appreciate it.