S 4.57 Disabling automatic CD-ROM recognition

Initiation responsibility: IT Security Officer

Implementation responsibility: User, Administrator

CD-ROMs can be automatically recognised and processed under Windows. Thus, this allows programs stored on the CD-ROM to be automatically executed on the computer. The automatic CD-ROM recognition should thus be disabled permanently.

Under Windows 95, this is done by deactivating the Automatic insert notification attribute on the DEVICE MANAGER tab under the SYSTEM control panel option for the CD-ROM.

To permanently disable automatic CD-ROM recognition under Windows NT 4.0 and Windows 2000, set the Autorun entry in the SYSTEM \ CurrentControlSet \ Services \ CD-ROM key in the HKEY_LOCAL_MACHINE section of the registry to REG_WORD = 0. Under Windows XP, the automatic CD-ROM recognition can also be disabled by setting the Computer configuration | Administrative templates | System | Turn off Autoplay policy to All drives. The automatic CD-ROM recognition can also be disabled on a user basis (User configuration | Administrative templates | System | Turn off Autoplay policy). The policies can be defined both in the local and in the Active Directory-based group policies.

If automatic CD-ROM recognition is not deactivated in general, this should be documented. On a case-by-case basis, the automatic CD-ROM recognition for an individual CD-ROM can be prevented by pressing the Shift key when inserting the CD-ROM. As experience has shown, however, this is done rarely in practice.

Review questions:

• Has the automatic recognition of removable data media such as CD-ROMs been disabled permanently?
• Have the users been trained in handling the automatic CD-ROM recognition unless it is disabled in general?