In a previous article I talked about disabling Autorun facility in Windows using a registry value suggested by US-CERT. To remind the reader, the key and value are :

Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf
Value : @=”@SYS:DoesNotExist”

To deploy this configuration using GPO, we need to create a new, or may be update an existing one, administration file. Administration files are normally located in folder :

%systemroot%\inf

and have .adm extension.

I will not go into details of ADM files syntax, version control and Operating System filtering, as it will need more than one article, but anyway : here is a prototype you can always use with Windows XP (and above?) and you can change the key and values but keep the same syntax. For interested readers, I recommend this document : “Using Administrative Template Files with Registry-Based Group Policy” from Microsoft site.

So, the ADM file I propose for this configuration:

CLASS MACHINE
CATEGORY !!category
KEYNAME “SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf”
POLICY !!policynameautorun
ACTIONLISTON
VALUENAME “@”        VALUE “@SYS:DoesNotExist”
END ACTIONLISTON
ACTIONLISTOFF
VALUENAME “@”        VALUE “”
END ACTIONLISTOFF
END POLICY
END CATEGORY
[strings]
category=”Custom Policy Settings”
policynameautorun=”Disable autorun”

save this lines as “customPolicies.adm” for example, and import it as an administrative template. To do so, develop “computer configuration“, then right click on “administrative templates” group,  and choose “Add/Remove templates”, click on “Add” and browse for your file. Once selected, validate and close; You’ll see your new group of policies (that is named “category” in the adm file) in the groups tree. You can see this steps in this video.

One done, you man not see the new policy as there’s a default filtering. To disable filtering, right click on “administrative templates”, select “Display” menu and then “Filtering”; uncheck all checkboxes. Have a look here :

Some explanations about parameters used in the above example :

• KEYNAME : Registry key to change/create.
• ACTIONLISTON : actions to perform when the policy is enabled
• ACTIONLISTOFF : actions to perform when policy is disabled
• strings section : values for substitution variables, noted with double exclamation mark (!!category for example). These varibales are used for portability between different language versions of Windows.

Having the adm file imported does not mean it is in use and applied. You need to create a new strategy (or update an existing one) to use the policy. Then you have to link this strategy to the Organisational Unit (OU) you want.

In the client side, you need to run gpupdate in the command prompt if you want the modifications to be applied right at the moment without waiting any longer. Gpupdate command replaces secedit command available in Windows 2000 and older versions. Please refer to the help of these commands for more details.

I hope you enjoyed reading and it was useful.

In a previous article we saw how to disable low dik space warnings in Windows systems, in this article we will talk about Autorun.

Microsoft Windows come with the AutoRun feature which make applications start automaticaly when inserting a CD/DVD, mapping a network drive or plugging a USB key. This is the worst case because everyone can plug a usb key to move data, to get pictures from a friend, to copy music …etc.

When a Removable Device is connected to computer, either the autorun launches the exe/.com file to witch a Autorun.inf file point to, or the user double click on the icon to browse the device content. In both cases, a hidden execution happens and make the computer infected. As an example, the Malicious software W32.Downadup uses this technique to spread.

In Microsoft, we can read many articles, such :

• How to correct “disable Autorun registry key” enforcement in Windows : which details also how to disable autorun useing Group Policy Objects (GPO)
• How to Enable or Disable Automatically Running CD-ROMs
• How to disable the use of USB storage devices (more radical solution!)

Today I received an US-CERT notification to say that those solutions are not effective when a media is first time connected to computer. In the Technical Cyber Security Alert TA09-020A we can read :

The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft   Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF “disables Autoplay on all types of drives.” Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.

The proposed solution is to set the following value to registry :

Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf

Value : @=”@SYS:DoesNotExist”

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Hope you found this post useful, and I’d like to invite you to subscribe to my feed to keep in touch with future posts.