Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Auditing Windows 2003 Servers for Disabled USB Drives and AutoRun CD-ROM

Many organizations have IT configuration polices that require CDs and USB drives to be disabled. This blog entry discusses a simple way to use a Nessus 3 .audit file to test a Windows 2003 server for the correct registry settings that disable "AutoRun" of programs on CDs as well as disables USB drives.

Windows 2003 Registry Settings

On Windows 2003 servers, the following registry setting controls "AutoRun" for CD drives:

HKLM\SYSTEM\CurrentControlSet\Services\Cdrom

If the item "AutoRun" is set to zero, then the system won't run CDs when they are inserted into the server. Below is a screen shot, with the "AutoRun" item circled, of a Windows 2003 server's registry settings using the regedit.exe tool:

Cdauditw2003reg

To disable USB drives, the following registry setting should be set to a value of "4":

HKLM\SYSTEM\CurrentControlSet\Services\UsbStor\start=4

According to Microsoft Knowledge Base #823732, systems that have this setting in place will have their USB drives completely disabled. Please note that this registry setting only applies to USB storage devices that are being installed and have no effect on devices already attached to a server.

Example .audit File

The following is a self-contained .audit file which tests the registry settings to have CD-ROM "AutoRun" and USB drives disabled:

<check_type: "Windows">
<group_policy: "Audits Windows 2003 Systems for AutoRun and USB storage devices being disabled">

<custom_item>
        type: REGISTRY_SETTING
        description: "CD AutoRun Disabled"
        value_type: POLICY_DWORD
        value_data: 0
        reg_key: "HKLM\SYSTEM\CurrentControlSet\Services\Cdrom"
        reg_item: "AutoRun"
        reg_type: REG_DWORD
</item>

<custom_item>
       type: REGISTRY_SETTING
      description: "USB Storage Devices Are disabled"
      value_type: POLICY_DWORD 
      value_data: 4
      reg_key: "HKLM\SYSTEM\CurrentControlSet\Services\UsbStor"
      reg_item: "start"
      reg_type: REG_DWORD
</item>

</group_policy>
</check_type>

Click below to download the example .audit file:

Download autorun-disabled.audit

Using this .audit file with Nessus 3 For Windows

Nessus 3 Direct Feed subscribers can save the above .audit file to their local computer. They should then create a scan policy which makes use of this .audit file and has the appropriate credentials to read the registry of the audited systems.

If an existing scan policy with the right credentials is available, consider adding this .audit file as a second or third policy. Each scan policy can have up to 5 separate UNIX and Windows .audit files.

Below is a screen shot of an example report generated by the above .audit file from a test Windows 2003 server.

Cdauditnessus3report_1

Vulnerability ID #21157 is the value assigned to all Windows compliance audit results. In the results, it can be seen that CD-ROM "AutoRun" has indeed been disabled, but USB storage devices are enabled with a value of "3".

Using this .audit file with the Security Center

Security Center users should have their administrator save the .audit file to the /opt/sc3/admin/nasl directory, and then restart the Security Center to ensure it gets pushed out to all of the managed Nessus scanners.

To make use of the new .audit file, either a new scanning policy should be created with the proper Windows credentials that makes use of the new .audit file, or this new .audit file should be added to an existing scanning policy. Like Nessus 3, scanning policies in the Security Center can also use multiple .audit files.

Below is a screen shot of the results of a scan against the same Windows 2003 server we tested above with Nessus 3.

Cdauditsc3_1

Since these compliance results have been imported into the Security Center, they have been given unique IDs of #60186 and #60187. The Security Center interprets Nessus plugin IDs #21156 (UNIX) and #21157 (Windows)  as "compliance" IDs and re-maps these to IDs greater than 65000. This allows for unique reporting, ticketing, dynamic asset list creation and tracking for unique compliance issues. 

For More Information

Tenable has placed several dozen .audit files online which can perform comprehensive audits of UNIX and Windows systems. These polices are derived from the United States CERT, NIST and NSA organization's guides for locking down UNIX and Windows servers. Documentation and tools are also located at that site which can be used to create your own policies. Compliance audits with Nessus 3 are available to all Direct Feed subscribers and Security Center users.