Disabling Windows Autorun in Real World Enterprise Environments

According to this report from Avast, 1 out of 8 pieces of malware has a USB autorun attack component associated with it. In my own malware reverse engineering work, I frequently see malware with the ability to spread through USB removable drives, the root of local drives, and writeable roots of network shares. The obvious mitigation for this problem is to disable Windows autorun where you can.

If you have been hesitant to disable Windows autorun throughout your enterprise for any reason, please consider that you can do so by device type. To be clear, completely disabling autorun and autoplay is preferred and is the most secure option. If that isn’t practical in your environment for some reason, then you can still stop most common mass malware from spreading through this attack vector by disabling autorun and autoplay on all device types EXCEPT for CDs and DVDs. Going this path keeps most users happy since they will still be able to install software from CD, play movies, etc, while you will be able to stop malware that spreads through autorun via USB thumbdrives, removable USB hard drives, and network shares.

You can fully disable autorun and autoplay for all devices types through Windows Active Directory Group Policy. If you want to do as this article suggests and disable autoplay and autorun for all devices types except CDs and DVDs, then you can do so via Group Policy Preferences and setting the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer and set the REG_DWORD value NoDriveTypeAutorun to hexadecimal value DF.

You also should deploy Microsoft’s KB967715 update before making this change.

I have done this across thousands of machines so far without complaint. The major drawback with this approach is that you can still be attacked via a malicious CD or DVD (or likewise fail a pentest that uses a CD with autorun), but I feel this approach strikes a good balance between security and user convenience for organizations requiring such an approach.

For individual users, Microsoft has a Fixit to completely disable autorun at http://go.microsoft.com/?linkid=9741395.

UPDATE – 08 Feb 2011 – Microsoft has released http://support.microsoft.com/kb/971029 through Windows Update to force basically the configuration recommended above on all Windows endpoints.

[UPDATE 08 Feb 2011] – http://support.microsoft.com/kb/971029

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement


Leave a Reply