Real World Computing
Slipping through fingers
USB drive safeguards in Vista
Assuming you can live with Vista's other numerous aggravations on a network, there exists a solution to the USB drive proliferation problem. Follow the instructions here to turn on device control and take a side-step into the brave new world of the command-line utilities supplied with Vista.
The first phase is all about Group Policy. Unlike under XP, there are facilities built directly into Vista that control storage devices at a usefully fine level of distinction. You can permit USB storage keys but disable writing to CDs, or vice versa, by creating the appropriate Group Policy settings. Doing this is a little easier than using Regedit, and just as with Regedit you can import and export Group Policies as rather verbose text files, which opens the door to reapplying such controls automatically via your login script every time someone connects to your network.
Simply type gpmc.msc and then navigate to Computer Configuration | Administrative Templates | System | Device Installation | Device Installation Restrictions, which is where you define what a user can and can't do according to the domain-based security groups they belong to, and what you say to them via customised bubble messages from the status bar if they try. None of this activity will do you any good if the Vista machine isn't a member of your domain, because, unlike in XP, Group Policies are strictly a domain-orientated platform.
Once you have a policy in place (and a domain container to associate it with), you can move on to the detailed business of black- or white-listing various types of USB key by way of the new-to-Vista command line interface to the Device Manager called devcon. I know that as soon as I mention a command-line utility, pretty much every savvy reader will want to jump right in and try to discover all its switches, and this indeed used to be a pretty useful strategy, at least until Microsoft started down the rocky path pioneered by VMS and Digital Equipment, the one that makes you so blasé about having to type "metadata cleanup select operation target" during the course of your regular daily chores. To prematurely terminate such inquiries into all the stuff you can do with devcon, the command you'll need to spot the exact device name of your preferred species of USB storage key for white-listing is devcon hwids usb*, which will give you a list of the USB objects your system has seen. From this list, you can copy the long and convoluted name your preferred company-standard USB key has been given back into the Group Policy you've set up as a permitted exception. There's an exhaustive treatment of what Vista does with removable storage at www.pcpro.co.uk/links/161networks3.
