This paper describes how to set up a Windows XP Security Policy that very effectively prevents Virus on USB "Handy Drives" from infecting your computer. It does not address how to prevent your USB "Handy Drive" from becoming infected with (and thus becoming a carrier of) virus that can spread to other computers. But should your USB "Handy Drive" become infected, the virus would not infect your computer if your Windows XP has this policy in place. The strategy here is to apply "Software Restriction Policies" that prohibits any "running" of programs directly from USB. Since no program on USB can be run, any virus that might be on USB drives cannot infect your computer. Not directly ... Our strategy does nothing to prevent, for example, accidentally copying virus-infected programs from USB to hard disk and infecting the computer by running the copy. But USB virus is prevented from being run "automatically." Please note that it is necessary to be logged-in as a member of the Administrators Group to be able to set these policies. The "Software Restriction Policies" facility is rather powerful. We present but one aspect of it. Specifically, we use "Path Rule." Other methods that this facility provide are "Certificate Rule," "Hash Rule," and "Internet Zone Rule." These and several other aspects of the facility are not within the scope of this paper. Please refer to Microsoft's documentation if you feel that you need to do more than is presented in this paper.
Overview
Software restriction policy provides administrators with a way to identify software and control its ability to run on local computers. This tool can help protect computers that run Microsoft® Windows® XP Professional against known conflicts and safeguard them against malicious software such as viruses and Trojan horse programs. Software restriction policy integrates fully with the Active Directory® directory service and Group Policy. You can also use it on stand-alone computers
Part One -- Step-by-step Procedure
• Identify drive letters that USB devices are assigned. In our example computer, drive letters C:\ and D:\ are assigned to hard disks; drive letter E:\ is assigned to CD-ROM. This example computer has 4 USB ports. Therefore, drive letters that can be assigned to USB devices are:-
F:\
G:\
H:\
I:\
We proceed setting policy to prohibit running of programs directly from these drive letters ...
• click: start > run... type: secpol.msc click: ok
• select: Software Restriction Policies click: Action > New Software Security Policies
• expand: Software Restriction Policies select: Additional Rules click: Action > New Path Rules...
• type: F:\ click: ok
• Repeat the above procedure until all USB drive letters have been added.
Part Two -- How will the Computer Act Differently?
Case One
If you primarily use your USB drive to carry documents such as Word, PowerPoint, PDF, photographs, songs, and the likes, then there would be no difference on your day-to-day use of your computer. Unless your USB drive has become infected. If a virus-infected USB drive is attached to your computer, Software Restriction Policies would protect your computer. If you see a pop-up error message similar to the following it usually means that the USB drive has virus on it and that it attempted to infect your computer. Taking a closer look at the above error message, please notice that "autorun.inf" was prevented by Software Restriction Policy from being open. Most, but not all, USB virus try to infect computers by way of the autorun.inf facility. You should ask a computer technician to clean the USB drive for you.
Case Two
If you carry programs on your USB drive such as Acrobat Reader installer software, games or other software, you would likely see more pop-up messages. Any time that you attempt to run a program directly from your USB drive, Software Restriction Policies would prevent you from doing so. Software Restriction Policies does not know the difference between a virus program and a regular useful program. It would prevent both types of programs from running. For example: In the above example pop-up message, "games\Solitaire.exe" was blocked. If your are sure that this is a good program and want to run it, you would have to copy it to hard disk and run the copy from the hard disk instead.
As a rule of thumb:-
If you see the pop-up message when you did not intend to run a program, chances are that Software Restriction Policies blocked a virus. For example, when you double-click on a USB drive letter -- your intention is to view the content of the USB drive -- your intention is not to run a program. In this case your USB drive is probably virus-infected.
1. If you see the pop-up message when you indeed wanted to run a program, there is a good chance that it is safe to copy the program to hard disk and run the copy.
2. If you are not totally sure, it is best to ask a computer technician.
Conclusion to Part Two
With Software Restriction Policies in place, no programs are allowed to run directly from USB drives. This prevents any virus, that may be on the USB drive, from "automatically" infecting your computer.
You are not prevented from, however, copying programs from the USB drive to hard disk and then running them. Caution must be taken if you choose to this. If the program that you copy to hard disk and run is infected with virus, your computer can still be infected, despite Software Restriction Policies being in place.
Part Three -- What is a Program? What is a Document?
Generally speaking, programs are files that end with .exe, .vbs, .dll and several others. Documents are, generally, those that end in .pdf, .doc, .jpg, etc.
A list is maintained by Software Restriction Policies as to what "file name endings" (file extensions) considered to be programs. Policies are applied to files with these extensions. Attempt to "open" a file with one of these extensions will be prohibited.
It is possible to customize this list. If you need to do so, then:-
run: secpol.msc select: Software Restriction Policies right-click: Designated File Types > Properties
No comments:
Post a Comment