Stopping Reading of I/O Devices on WinXP-SP1 System

[Win User]

We want to make the I/O devices, which include all USB connectors and the
CD/DVD drive as WRITE-ONLY, or rather that they can only read data from the
computer, and not be allowed to write to the system. I think this can be
done, either using software or setting values in the Windows registry, but
I am not positive.

It would also be good if I can set up a script or use software that turns on
and off the ability to restore the 'I' in the I/O of these devices at will.
(This program or script would not be known to anyone else.)

===============================================
MORE INFORMATION FOR THOSE PROPOSING SOMETHING ELSE

We have PCs that are connected to advanced scientific instruments (namely,
mass spectrometers).

The software that acquires the data (and also provides processing) is
validated on for use on WinXP SP1.

Experience has repeatedly shown that attempting to use later Win sys
environment versions (service pack updates included) causes the application
software for the instruments to crash or have other problems.

Moreover, we cannot install anti-virus software either as this is not
validated and it seems to cause problems as well.

But we have users who need to get the data they acquired from the advanced
instruments.

The problem is that too many of them stick their virus/trojan/malware-
infected USB memory sticks to get it. We can tell them to check their USB
stick drives in another machine with anti-virus software, but they don't
always do it (and they cannot be policed). In addition they claim that they
have antivirus software on their own system and they believe in it (or why
would they use it?), although everyone uses a different antivirus app.

I have asked that a network be set up with these PCs to a central host with
a server that allows them to transfer data to the central host, and then
they can connect to the central host from their own computers and retrieve
the data. But the pinheads put in charge of setting up networks either lack
the knowledge, ability or resources to set it up.

I want to set up this alternative.

 

[Paul]

We want to make the I/O devices, which include all USB connectors and the
CD/DVD drive as WRITE-ONLY, or rather that they can only read data from the
computer, and not be allowed to write to the system. I think this can be
done, either using software or setting values in the Windows registry, but
I am not positive.

It would also be good if I can set up a script or use software that turns on
and off the ability to restore the 'I' in the I/O of these devices at will.
(This program or script would not be known to anyone else.)

===============================================
MORE INFORMATION FOR THOSE PROPOSING SOMETHING ELSE

We have PCs that are connected to advanced scientific instruments (namely,
mass spectrometers).

The software that acquires the data (and also provides processing) is
validated on for use on WinXP SP1.

Experience has repeatedly shown that attempting to use later Win sys
environment versions (service pack updates included) causes the application
software for the instruments to crash or have other problems.

Moreover, we cannot install anti-virus software either as this is not
validated and it seems to cause problems as well.

But we have users who need to get the data they acquired from the advanced
instruments.

The problem is that too many of them stick their virus/trojan/malware-
infected USB memory sticks to get it. We can tell them to check their USB
stick drives in another machine with anti-virus software, but they don't
always do it (and they cannot be policed). In addition they claim that they
have antivirus software on their own system and they believe in it (or why
would they use it?), although everyone uses a different antivirus app.

I have asked that a network be set up with these PCs to a central host with
a server that allows them to transfer data to the central host, and then
they can connect to the central host from their own computers and retrieve
the data. But the pinheads put in charge of setting up networks either lack
the knowledge, ability or resources to set it up.

I want to set up this alternative.

Make them burn a CD with the files needed. Equip the machine with a CD/DVD burner.
Put spindles of blank CDs next to the mass spec machines. Include labeling materials
next to the machine, so the users can attach a visible label to the CD. (LightScribe
would take too long, unless the labels were tiny strips.)

Place a sign next to the machine, that *only* blanks are to be inserted
into the machine. If only blanks are inserted, there will be no infected files
for Windows to read.

If you need burner software, try a copy of Imgburn.

Plug all the USB holes.

*******

While there is a procedure for disabling Autoruns here, with your constraints,
this might not work.

http://support.microsoft.com/kb/967715

*******

You could also investigate using Windows SteadyState for securing
the operating system. SteadyState includes options for throwing
away changes between sessions. If a machine "became infected", a
reboot might be sufficient to clear it up. SteadyState has various
policies you can set up, in terms of saving changes or not.
SteadyState is supposed to be no longer available for download.

http://en.wikipedia.org/wiki/SteadyState

There would also be commercial equivalents to that, used for Internet
Cafes or for usage at the library. Our local public library has some
sort of software installed, to purge the machines between logins.
Ask your librarian, what software they use to secure the public PCs.

Paul

 

[Loren Pechtel]

We want to make the I/O devices, which include all USB connectors and the
CD/DVD drive as WRITE-ONLY, or rather that they can only read data from the
computer, and not be allowed to write to the system. I think this can be
done, either using software or setting values in the Windows registry, but
I am not positive.

It would also be good if I can set up a script or use software that turns on
and off the ability to restore the 'I' in the I/O of these devices at will.
(This program or script would not be known to anyone else.)

===============================================
MORE INFORMATION FOR THOSE PROPOSING SOMETHING ELSE

We have PCs that are connected to advanced scientific instruments (namely,
mass spectrometers).

The software that acquires the data (and also provides processing) is
validated on for use on WinXP SP1.

Experience has repeatedly shown that attempting to use later Win sys
environment versions (service pack updates included) causes the application
software for the instruments to crash or have other problems.

Moreover, we cannot install anti-virus software either as this is not
validated and it seems to cause problems as well.

But we have users who need to get the data they acquired from the advanced
instruments.

The problem is that too many of them stick their virus/trojan/malware-
infected USB memory sticks to get it. We can tell them to check their USB
stick drives in another machine with anti-virus software, but they don't
always do it (and they cannot be policed). In addition they claim that they
have antivirus software on their own system and they believe in it (or why
would they use it?), although everyone uses a different antivirus app.

I have asked that a network be set up with these PCs to a central host with
a server that allows them to transfer data to the central host, and then
they can connect to the central host from their own computers and retrieve
the data. But the pinheads put in charge of setting up networks either lack
the knowledge, ability or resources to set it up.

I want to set up this alternative.

It's not possible. You can't possibly write to a device without first
reading it--you have to know what the directory looks like to know
where to write the new data!

Disabling autorun will help the situation as at least they would have
to run the infected file manually.

Can you run something like DeepFreeze? Let them infect the machine
but it will be automatically disinfected on reboot. Note that this
isn't selective, it reverts *ALL* changes made to the disk.

 

[Davej]

But we have users who need to get the data they acquired from the advanced
instruments.

How much data?

What if you had a secure pc running 64bit Windows 7 with anti-virus
sitting next to the XP SP1 pc. If you connected the two with a network
cable I wonder if you could use file sharing and remain secure? The XP
SP1 pc would have no other access ports.

 

[Loren Pechtel]

How much data?

What if you had a secure pc running 64bit Windows 7 with anti-virus
sitting next to the XP SP1 pc. If you connected the two with a network
cable I wonder if you could use file sharing and remain secure? The XP
SP1 pc would have no other access ports.

It wouldn't even need to be 64 bit.

 

[Win User]

How much data?

What if you had a secure pc running 64bit Windows 7 with anti-virus
sitting next to the XP SP1 pc. If you connected the two with a network
cable I wonder if you could use file sharing and remain secure? The XP
SP1 pc would have no other access ports.

This is consistent with my description in the next to the last paragraph that
a "buffer" or "intermediate" computer should be set up in a network with
these instrument computers, and that the instrument hosts be able to write
the data files to the buffer host, and that the users connect to the buffer
host with read-only access to retrieve the data files.

 

[Davej]

It wouldn't even need to be 64 bit.

No not really but I think I've read that the 64-bit version has extra
security features. For example the 64-bit version absolutely refuses
to run unsigned drivers.

I also stumbled across this as a possible stopgap measure you might
try...

http://elechub.com/always-disable-usb-autorun-complete-virus-protection/