Last Modified: Sat, 10 Feb 2018 16:46:35 +0000 ; Created: Sat, 10 Feb 2018 16:45:29 +0000
|I discovered a way in Windows (tested in 10, probably works in 7 and 8) to make a USB drive readonly except when I run a command to make it writable. So I can run a backup job that makes the drive writable and as soon as it is completed makes the drive readonly. This gives me another layer of protection in the event ransomware was on my system as the typical expected behavior of all my connected drives being writable will not hold true.
There is still a window where ransomware could write to the drive, but this helps reduce the attack surface and has some potential for reducing impact.
It does require admin privileges (or UAC prompt) to use, but it has still been quite handy.
Example command - writable
@REM Need to back B: drive writable diskpart /s "B:\Backup_Tools\make_drive_writable.diskpart"
Example command - readonly again
diskpart /s "B:\Backup_Tools\make_drive_readonly.diskpart"
make_drive_writable.diskpartYou must use diskpart to known what disk number to select
select disk=3 attributes disk attributes disk clear readonly attributes disk
make_drive_readonly.diskpartYou must use diskpart to known what disk number to select
select disk=3 attributes disk attributes disk set readonly attributes disk