Autorun: good for you?

Yes, if you're a five-year-old and you're tired of always asking mom or dad how to start the game on the CD. No need to know how! Just pick up the disc (a little peanut butter on your fingers helps with the grip), slide it in the drive, and wait for the game to start. Groovy!

No, if you're a security administrator. Many people still aren't aware of the security risk that autorun raises. It isn't new anymore, but DarkReading's Social engineering, the USB way is still the best story the make the point. Check it out.

I really can't think of any business reason for keeping this feature enabled. Please shut if off, domainwide, as soon as you can.

In Windows Vista/Server 2008, go here:

Computer Configuration | Administrative Templates | Windows Components | AutoPlay Policies

Enable the "Default behavior for AutoRun" policy and set the default to "Do not execute any autorun commands."

Enable the "Turn off Autoplay" policy and set it to "All drives."

In Windows XP/Server 2003, go here:

Computer Configuration | Administrative Templates | System

Enable the "Turn off Autoplay" policy and set it to "All drives."

While this might be old news for many of my readers, disabling autorun still doesn't seem to be a common security mitigation. At a recent conference I was surprised at the number of folks who haven't considered the risks of leaving it enabled. Surely by now most of you have heard about how certain music CDs can spread rootkits in your network. Yeah, holding down the [Shift] key when inserting a CD-ROM or USB drive will bypass the autorun.inf file -- but do you really want to rely on individual users remembering this? Nope. Group policy is your security friend: put it to good use here and disable autorun right now.

(BTW, Sony is up to their dirty old tricks again.)

Updated, 22 September 2007. Turns out there's a registry key that keeps track of all USB drives your computer has ever seen, and this key will override the Autorun settings if you insert a drive that your computer has seen before. So in addition to changing Autorun, you'll also need to delete this other key. Write a little script and call it from group policy. Here's the key to delete:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

More details here.

Published 22 September 07 10:29 by Steve Riley

Comments

# Mauro T said on September 24, 2007 9:20 AM:

So Agreed,

This well know vulnerability is really a problem, server admins not understand that can be mitigated in....... 2 minutes.

Thanks All

# Steve Riley on Security said on October 30, 2007 6:12 PM:

Last month, in my post " Autorun: good for you? " I described why I believe you should disable Autorun

# NOD32 and Virus News said on December 19, 2007 1:55 PM:

December 18th, 2007 by Randy Abrams Director of Technical Education at ESET PLEEEEASE Infect me This is what Windows says when you install it. You see, there is a default setting called “autorun” that will automatically run a program when you ins

# Rodney said on November 10, 2008 2:46 PM:

Noone is using this very "simple setting" because we don't know how to get to the "Computer Configuration" window. Or is this only on server computers? I would like to turn of general autoplay because of all the music CD's and thumb drives I use.

(Remember when the thumbdrives were part of the default boot selection for XP? I almost fell over when I found I could boot a computer with a thumbdrive!!)

# Steve Riley said on November 18, 2008 4:24 PM:

Rodney-- good point! It's group policy setting you can find in the local group policy editor. Choose Start | Run and type "gpedit.msc" to open the editing console.

# Dan said on November 25, 2008 4:04 PM:

How can this be pushed to all domain computers using Group Policy; AD on W2K3 PDC? Can't seem to get this to work.

# ALEJANDRO said on December 18, 2008 8:54 AM:

HI.. COULD YOU BE MORE SPECIFIC ABOUT THE PATH TO CHANGE THE AUTOPLAY CONFIGURATION..?? THANX.... I HAVE WIN VISTA HOME PREMIUM EDITION...

# Harry Palmer said on March 3, 2009 1:04 PM:

What about XP in a workgroup configuration.  There appears to be no Autoplay Policies.

# ashley said on March 24, 2009 1:32 AM:

Hi, i'm working on window XP home edition, and there isnt group policy available. So am wondering do anyone know how can i turn off autoplay in this version??

# n0de said on April 24, 2009 10:04 AM:

ashley: you'll find the same settings by running "gpedit.msc" from the command prompt (start/run -> "cmd")

# Matthew Nicoll said on June 5, 2009 4:02 PM:

I have XP pro

I ran gpedit.msc from the command line.

There is no "Autoplay Polices" under "Windows Components".

I tried installing: Update for Windows XP (KB967715)

then rebooted.  Still not there.

Any other ideas?!

New Comments to this post are disabled

Search

Go

This Blog

Resources for you

Locations of visitors to this page
View blog authority Add to Technorati Favorites

 Subscribe with FeedBurner

Subscribe, translate, or sort with BlastCasta
Homeland stupidity threat:
Homeland Stupidity Threat Level

Syndication

Page view tracker