Vista Leaves Some Out in Cold

European versions don't enable USB lockout by default.

With Vista, Microsoft revamped the Windows operating systems ability to natively lock out unapproved USB storage devices through some new policy items in its Group Policy. However, this capability requires a service that has quietly been denied to some customers by default—a casualty of Microsofts attempts to comply with the anti-competition dictates of the European Union.

While such matters may not mean anything to U.S.-based customers, the fact that different versions of Vista will behave differently makes it hard to justify relying on the operating systems USB security features in an enterprise deployment.

In tests of the device lockout features, we experienced a mixed bag of results.

On the plus side, we found we could successfully block a user with limited rights from installing new USB drives onto a computer, while exempting local administrators from the policy.

We could also successfully create exceptions that allowed us to standardize on a particular make and model of USB device while locking out other, unapproved drives. For example, we created a policy that allowed users to install only Kingston Technologys DataTraveler Elite devices while blocking out all others. (We also tested with several generic devices.)

But when we tried to deny read/write access to already installed USB devices or even to CD/DVD writers, the policies did not work because they depend on whichever version of Vista is installed-specifically, the European "N" editions have been left out in the cold.

The ability to block read/write access to removable storage devices via Group Policy depends on the presence of the Portable Device Enumerator Service, which is not installed by default in the Vista Business N edition. We discovered this because we accidentally installed this version of the operating system on our test machines. Vista Business N is a Europe-only edition that complies with the EU mandate that Windows Media Player be decoupled from the operating system.

Unfortunately, the Portable Device Enumerator Service comes with Windows Media Player rather than with the base Vista operating system, so the N versions of Vista wont get the feature without installing the Windows Media Player or kludging together a different workaround.

Indeed, once we installed Windows Media Player 11 on our test system, the needed service installed and the Group Policy settings were immediately enforced. (We also verified that the policies worked on the standard Vista Business edition.)

The fact that a core security feature of Vista is based on the presence of a rich media application underscores what a convoluted system Windows continues to be.


Check out eWEEK.coms for Microsoft and Windows news, views and analysis.