Real World Computing

Slipping through fingers

20080116 [PC Pro]

Click images to enlarge

	1 That little grey square contains twice as much data as those discs that HMRC lost.

	2 USB flash drives: evil little tchotchkes?

3 Under Windows XP, the options are slightly more blurry than Vista. Microsoft has published a Group Policy job that disables every class of removable storage - see www.pcpro.co.uk/links/161networks4 for the full source code and how it's to be applied. Group Policies are handy things that have become an important part of IT life in major corporations, but they're not necessarily easy or friendly things to handle for the smaller business network operator.

There are some less capable fixes, in particular the two-part process of disabling the USBStor service via the Registry - change the Start value from 3 to 4 under the Registry key HKLM\System\CCS\Services\Usbstor, then set the rights for that key so nobody can re-enable them. If you don't understand either of those abbreviations or the idea of disabling access to a Registry key, then possibly this solution isn't for you, besides which this strategy has a fatal flaw anyway. While the trick of disabling rights to the Registry key deals with the problem of users inserting USB storage devices before they've logged in, none of this does any good if some future software update happens in passing to reset the Start key for the USBStor service, given that software updates have the right to bypass all group-policy-orientated security restrictions. In other words, while there's a Microsoft-provided, small-business-friendly fix for this problem, there's also a matching Microsoft-provided vulnerability.

By the way, there's a neat command-line utility for setting rights to chunks of Registry if you happen to have the Windows Server 2003 install CD - it's called subinaacl.exe. Be very aware that mastering the syntax for this utility is a high-risk enterprise, since its purpose is to ring-fence parts of your Registry from the accounts you mention in the command line. If it's the USBStor key you want to protect, the command line you need is:

subinacl.exe /keyreg \system\currentcontrolset\services\usbstor /deny=system

Smart systems admins will, of course, try this with some other security group in place of "system", so they stand a chance of establishing that it really works on a security-group basis rather than a brute-force denial basis.

4 Just as Vista's feature set may make certain USB drive controlling add-ons drop dead, shrivel up and blow away, so the execrably bad file-copying performance of Vista over networks seems to have provoked a flowering of third-party Explorer replacements. Now, hardened techies have been big fans of Explorer replacement since before the days of the GUI, but some of the long-standing competitors in this marketplace have gone a little quiet recently. I'm thinking particularly of the perennially popular Total Commander, which has sadly been rather slow to market with its full 64-bit version. Old hands may snort at such nitpicking, but I'm nowadays running 64-bit XP Pro on an "ugly duckling" IBM IntelliStation A Pro (dual Opteron 250) as my everyday workhorse, while waiting for Apple to fix my accursed MacBook Pro again, and there's no overlooking the difference between a proper 64-bit application and the poorly performing 32-bit version. If a product as humble and everyday as 7-Zip (www.7-zip.org) can deliver a lightning-quick 64-bit flavour, why can't the traditionally small, responsive and clued-up little developers behind these Explorer replacements keep up?

I've mostly been fiddling with Directory Opus (www.dopus.com) and XYplorer (www.xyplorer.com), both of which offer far easier management of files across the LAN under Vista than you'll get by bodging around with Registry patches that claim to improve its copying performance to an acceptable level. I've followed the various patching instructions, which are easily found on the web, so I'm in a good position to know whether it's LAN card drivers that produce this poor performance. All I can report is that it doesn't matter whether I use a Broadcom or an Intel ethernet card under 64-bit Vista Business, and it doesn't matter whether I let the machine do its predictive maths or the dynamic packet reshaping intended to make ISP connections faster - I still get dire performance from my Windows 2000 servers when copying to or from Vista of around 2MB/sec. My best performance comes with my Apple dual G5, from which Vista can copy at some 11MB/sec. Naturally, I can get over 40MB/sec from this same hardware when copying from XP Pro or OS X 10.5. Whatever the problem is within the Vista software stack, a factor of three deficit between this platform and its predecessor or its main competitor is going to take an awful lot of explaining away.

Directory Opus wins out by being supplied in a U3 USB drive, so you can walk around your LAN and keep your cleverer file copy and finding options close at hand (provided, of course, you haven't taken my advice elsewhere in this column and disabled every unused USB hole in pursuit of better data security!).