CSCv6|13.5

Title

Configure systems so that they will not write data to USB tokens or USB hard drives.

Description

If there is no business need for supporting such devices, configure systems so that they will not write data to USB tokens or USB hard drives. If such devices are required, enterprise software should be used that can configure systems to allow only specific USB devices (based on serial number or other unique property) to be accessed, and that can automatically encrypt all data placed on such devices. An inventory of all authorized devices must be maintained.

Reference Item Details

Category: Data Protection

Family: Network

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.3.13 Set 'Prevent installation of devices using drivers that match these device setup classes' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.3.14 Set 'Also apply to matching devices that are already installed' to 'True'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.3.17 Set 'Deny write access to removable drives not protected by BitLocker' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.3.20 Set 'Do not allow write access to devices configured in another organization' to 'True'WindowsCIS Windows 8 L1 v1.0.0
18.8.7.1.1 (BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.8.7.1.1 (BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.8.7.1.1 Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.8.7.1.1 Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.8.7.1.1 Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'WindowsCIS Windows 7 Workstation Bitlocker v3.2.0
18.8.7.1.2 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.8.7.1.2 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A'WindowsCIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.8.7.1.3 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.8.7.1.3 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)WindowsCIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.8.7.1.3 Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.8.7.1.3 Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)WindowsCIS Windows 7 Workstation Bitlocker v3.2.0
18.8.7.1.3 Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.8.7.1.4 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.8.7.1.4 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.8.7.1.5 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes'WindowsCIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.8.7.1.5 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.8.7.1.6 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)WindowsCIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.8.7.1.6 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.11.3.14 Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.3.14 Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'WindowsCIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.3.14 Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.3.17 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.9.11.3.17 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.11.3.18 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.11.3.18 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'WindowsCIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
Deny write access to removable drives not protected by BitLocker - RDVDenyCrossOrgWindowsMSCT Windows 10 1809 v1.0.0
Deny write access to removable drives not protected by BitLocker - RDVDenyCrossOrgWindowsMSCT Windows 10 1903 v1.19.9
Deny write access to removable drives not protected by BitLocker - RDVDenyCrossOrgWindowsMSCT Windows 10 v2004 v1.0.0
Deny write access to removable drives not protected by BitLocker - RDVDenyCrossOrgWindowsMSCT Windows 10 1803 v1.0.0
Deny write access to removable drives not protected by BitLocker - RDVDenyCrossOrgWindowsMSCT Windows 10 v1507 v1.0.0
Deny write access to removable drives not protected by BitLocker - RDVDenyCrossOrgWindowsMSCT Windows 10 1909 v1.0.0
Deny write access to removable drives not protected by BitLocker - RDVDenyCrossOrgWindowsMSCT Windows 10 v21H2 v1.0.0
Deny write access to removable drives not protected by BitLocker - RDVDenyCrossOrgWindowsMSCT Windows 10 v20H2 v1.0.0
Prevent installation of devices that match any of these device IDs - DenyDeviceIDsWindowsMSCT Windows 10 v1507 v1.0.0
Prevent installation of devices that match any of these device IDs - DenyDeviceIDsWindowsMSCT Windows 10 1803 v1.0.0
Prevent installation of devices that match any of these device IDs - DenyDeviceIDsWindowsMSCT Windows 10 1809 v1.0.0
Prevent installation of devices that match any of these device IDs - DenyDeviceIDsWindowsMSCT Windows 10 1903 v1.19.9
Prevent installation of devices that match any of these device IDs - DenyDeviceIDsRetroactiveWindowsMSCT Windows 10 1903 v1.19.9
Prevent installation of devices that match any of these device IDs - DenyDeviceIDsRetroactiveWindowsMSCT Windows 10 v1507 v1.0.0
Prevent installation of devices that match any of these device IDs - DenyDeviceIDsRetroactiveWindowsMSCT Windows 10 1809 v1.0.0
Prevent installation of devices that match any of these device IDs - DenyDeviceIDsRetroactiveWindowsMSCT Windows 10 1803 v1.0.0
Prevent installation of devices using drivers that match these device setup classes - DenyDeviceClassesWindowsMSCT Windows 10 1903 v1.19.9
Prevent installation of devices using drivers that match these device setup classes - DenyDeviceClassesWindowsMSCT Windows 10 1803 v1.0.0
Prevent installation of devices using drivers that match these device setup classes - DenyDeviceClassesWindowsMSCT Windows 10 v21H2 v1.0.0
Prevent installation of devices using drivers that match these device setup classes - DenyDeviceClassesWindowsMSCT Windows 10 1809 v1.0.0
Prevent installation of devices using drivers that match these device setup classes - DenyDeviceClassesWindowsMSCT Windows 10 v2004 v1.0.0