CSCv7|13.8

Title

Manage System's External Removable Media's Read/write Configurations

Description

Configure systems not to write data to external removable media, if there is no business need for supporting such devices.

Reference Item Details

Reference: CIS Critical Security Controls v7

Category: Data Protection

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
17.6.4 (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.6.4 Ensure 'Audit Removable Storage' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
18.8.7.1.1 (BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.8.7.1.1 (BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.8.7.1.2 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.8.7.1.2 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.8.7.1.3 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.8.7.1.3 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)	Windows	CIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.8.7.1.4 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.8.7.1.4 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.8.7.1.5 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.8.7.1.5 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.8.7.1.6 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)	Windows	CIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.8.7.1.6 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.11.3.17 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.11.3.17 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.9.11.3.18 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.11.3.18 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.10.9.3.14 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Enterprise v3.0.0 L1 + BL + NG
18.10.9.3.14 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Enterprise v3.0.0 L2 + BL + NG
18.10.9.3.14 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Stand-alone v3.0.0 L1 BL
18.10.9.3.14 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Stand-alone v3.0.0 L2 BL
18.10.9.3.14 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Enterprise v3.0.0 BL
18.10.9.3.14 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Stand-alone v3.0.0 L1 BL NG
18.10.9.3.14 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Stand-alone v3.0.0 L2 BL NG
18.10.9.3.14 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Enterprise v3.0.0 L2 + BL
18.10.9.3.14 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'	Windows	CIS Microsoft Windows 11 Stand-alone v3.0.0 L1 + BL
18.10.9.3.14 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'	Windows	CIS Microsoft Windows 11 Stand-alone v3.0.0 BL
18.10.9.3.14 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Enterprise v3.0.0 L1 + BL
18.10.9.3.14 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Stand-alone v3.0.0 BL
18.10.9.3.14 (L1) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 EMS Gateway v3.0.0 L1
18.10.9.3.15 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'	Windows	CIS Microsoft Windows 10 Enterprise v3.0.0 L2 + BL + NG
18.10.9.3.15 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'	Windows	CIS Microsoft Windows 10 Enterprise v3.0.0 BL
18.10.9.3.15 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'	Windows	CIS Microsoft Windows 10 Stand-alone v3.0.0 L2 BL NG
18.10.9.3.15 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'	Windows	CIS Microsoft Windows 11 Stand-alone v3.0.0 BL
18.10.9.3.15 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'	Windows	CIS Microsoft Windows 10 Enterprise v3.0.0 L1 + BL + NG
18.10.9.3.15 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'	Windows	CIS Microsoft Windows 10 Enterprise v3.0.0 L2 + BL
18.10.9.3.15 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'	Windows	CIS Microsoft Windows 10 Stand-alone v3.0.0 L1 BL NG
18.10.9.3.15 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'	Windows	CIS Microsoft Windows 10 Stand-alone v3.0.0 L1 BL
18.10.9.3.15 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'	Windows	CIS Microsoft Windows 10 Enterprise v3.0.0 L1 + BL
18.10.9.3.15 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'	Windows	CIS Microsoft Windows 11 Stand-alone v3.0.0 L1 + BL
18.10.9.3.15 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'	Windows	CIS Microsoft Windows 10 Stand-alone v3.0.0 L2 BL
18.10.9.3.15 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'	Windows	CIS Microsoft Windows 10 Stand-alone v3.0.0 BL
18.10.9.3.15 (L1) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'	Windows	CIS Microsoft Windows 10 EMS Gateway v3.0.0 L1
18.10.10.3.14 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'	Windows	CIS Microsoft Windows 11 Enterprise v4.0.0 L1 BitLocker
18.10.10.3.14 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'	Windows	CIS Microsoft Windows 11 Enterprise v4.0.0 L2 BitLocker
18.10.10.3.14 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'	Windows	CIS Microsoft Windows 11 Enterprise v4.0.0 BitLocker
18.10.10.3.15 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'	Windows	CIS Microsoft Windows 11 Enterprise v4.0.0 L2 BitLocker
18.10.10.3.15 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'	Windows	CIS Microsoft Windows 11 Enterprise v4.0.0 L1 BitLocker
18.10.10.3.15 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'	Windows	CIS Microsoft Windows 11 Enterprise v4.0.0 BitLocker

Detections

Analytics

CSCv7|13.8

Title

Description

Reference Item Details

Audit Items