S 4.339 Prevention of unauthorised use of removable media in Windows Vista and Windows 7

Initiation responsibility: IT Security Officer

Implementation responsibility: User, Administrator

In Windows, all removable media (for example: CD-ROMs, DVD-ROMs, USB sticks, SD cards, etc.) can be detected and processed automatically. As a consequence, programs stored on the medium can be executed automatically on the Windows system. Therefore, automatic storage media detection should be disabled permanently.

Windows Vista and Windows 7 provide mechanisms for controlling access to removable media. Examples of removable media include memory cards, USB sticks, mobile hard drives, digital cameras, diskettes, CDs, and DVDs. They are used for mobile data storage and to exchange data between IT systems. Windows Vista and Windows 7 systems can read data from a removable medium and store it to another removable medium; applications can be started from removable media. The use of removable media also includes the installation and updating of the required drivers.

In Windows Vista and Windows 7, it is possible to enforce rules regarding the installation and use of removable media using group policies.

Specifying the rules for the use of removable media

The rules for the use of removable media must be specified. To specify the rules, you can examine the specific tasks which selected users need to use removable media to complete. You can then derive the removable media to be allowed and/or prohibited as well as the ways in which they can be used.

In Windows Vista and Windows 7, Microsoft offers the AutoRun and AutoPlay functions. AutoRun is used in order to automatically start programs or extended contents, e.g. media files, if a data medium is inserted or connected. AutoPlay is a function that is used to define which program is to be used in order to start a certain medium. This way, audio CDs can be linked directly to the MediaPlayer, for instance. The player is then started automatically after an audio CD was inserted. Disabling the functions AutoPlay and AutoRun is absolutely recommended.

Enforcement of the following rules should be considered:

In particular, USB sticks must be taken into account here since they can also be used for authentication purposes for the Windows Vista and Windows 7 BitLocker. The corresponding read and write privileges must then be granted as necessary.

In Windows Vista and Windows 7, Autoplay can also be disabled using Control Panel | Hardware and Sound | AutoRun policies. Here, specific behaviour depending on the type of medium or general behaviour in the event of removable media can be set. The setting Use Autoplay for all media and devices should be disabled.

Enforcing usage requirements for removable media

The usage requirements specified for removable media must be implemented. They should be implemented primarily at the technical level using group policies.

Organisational rules can also be used as an alternative or a supplement to the rules.

The correctness of the configuration settings of group policies should be tested before they are applied in regular operations.

The users must be informed of all rules relating to the use of removable media that apply to them.

Review questions:

© Federal Office for Information Security. All rights reserved.