Theme

CSCv6|8.3

Title

Limit use of external devices to those with an approved, documented business need.

Description

Limit use of external devices to those with an approved, documented business need. Monitor for use and attempted use of external devices. Configure laptops, workstations, and servers so that they will not auto-run content from removable media, like USB tokens (i.e., 'thumb drives'), USB hard drives, CDs/DVDs, FireWire devices, external serial advanced technology attachment devices, and mounted network shares. Configure systems so that they automatically conduct an anti-malware scan of removable media when inserted.

Reference Item Details

Reference: CIS Critical Security Controls v6

Category: Malware Defenses

Family: System

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.2.46 Set 'Audit Policy: Object Access: Removable Storage' to 'No Auditing'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.4.2 Configure 'Devices: Restrict floppy access to locally logged-on user only'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.4.3 Set 'Devices: Allowed to format and eject removable media' to 'Administrators and Interactive Users'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.4.4 Configure 'Devices: Restrict CD-ROM access to locally loggedon user only'	Windows	CIS Windows 8 L1 v1.0.0
1.1.21 Disable Automounting	Unix	CIS Debian 8 Workstation L2 v2.0.2
1.1.21 Disable Automounting	Unix	CIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
1.1.21 Disable Automounting	Unix	CIS Debian 8 Server L1 v2.0.2
1.1.22 Disable Automounting	Unix	CIS Distribution Independent Linux Workstation L2 v2.0.0
1.1.22 Disable Automounting	Unix	CIS Distribution Independent Linux Server L1 v2.0.0
1.1.22 Disable Automounting	Unix	CIS Ubuntu Linux 18.04 LXD Host L1 Server v1.0.0
1.1.23 Disable Automounting	Unix	CIS Ubuntu Linux 18.04 LTS Workstation L2 v2.1.0
1.1.23 Disable Automounting	Unix	CIS Ubuntu Linux 20.04 LTS Workstation L2 v1.1.0
1.1.23 Disable Automounting	Unix	CIS Ubuntu Linux 20.04 LTS Server L1 v1.1.0
1.1.23 Disable Automounting	Unix	CIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
1.1.23 Disable USB Storage - lsmod	Unix	CIS Distribution Independent Linux Server L1 v2.0.0
1.1.23 Disable USB Storage - lsmod	Unix	CIS Distribution Independent Linux Workstation L2 v2.0.0
1.1.23 Disable USB Storage - modprobe	Unix	CIS Distribution Independent Linux Workstation L2 v2.0.0
1.1.23 Disable USB Storage - modprobe	Unix	CIS Distribution Independent Linux Server L1 v2.0.0
1.2.4.1.1 Set 'Turn off Autoplay on' to 'Enabled:All drives'	Windows	CIS Windows 8 L1 v1.0.0
2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'	Windows	CIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL
17.3.1 Ensure 'Audit PNP Activity' is set to include 'Success'	Windows	CIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL
17.3.1 Ensure 'Audit PNP Activity' is set to include 'Success'	Windows	CIS Microsoft Windows 11 Enterprise v1.0.0 L1
17.3.1 Ensure 'Audit PNP Activity' is set to include 'Success'	Windows	CIS Microsoft Windows 11 Enterprise v1.0.0 L1 + NG
17.3.1 Ensure 'Audit PNP Activity' is set to include 'Success'	Windows	CIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL + NG
17.6.4 (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.0 L1
17.6.4 (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
17.6.4 Ensure 'Audit Removable Storage' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL
17.6.4 Ensure 'Audit Removable Storage' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL + NG
17.6.4 Ensure 'Audit Removable Storage' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 11 Enterprise v1.0.0 L1
17.6.4 Ensure 'Audit Removable Storage' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 11 Enterprise v1.0.0 L1 + NG
18.9.8.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.0 L1
18.9.8.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'	Windows	CIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL
18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'	Windows	CIS Microsoft Windows 11 Enterprise v1.0.0 L1 + NG
18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'	Windows	CIS Microsoft Windows 11 Enterprise v1.0.0 L1
18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'	Windows	CIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL + NG
18.9.8.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'	Windows	CIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.8.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'	Windows	CIS Microsoft Windows 8.1 v2.4.0 L1
18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'	Windows	CIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL
18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'	Windows	CIS Microsoft Windows 11 Enterprise v1.0.0 L1
18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'	Windows	CIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL + NG
18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'	Windows	CIS Microsoft Windows 11 Enterprise v1.0.0 L1 + NG
18.9.8.3 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'	Windows	CIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.8.3 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'	Windows	CIS Microsoft Windows 8.1 v2.4.0 L1
18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'	Windows	CIS Microsoft Windows 11 Enterprise v1.0.0 L1
18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'	Windows	CIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL
18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'	Windows	CIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL + NG
18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'	Windows	CIS Microsoft Windows 11 Enterprise v1.0.0 L1 + NG