Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Auditing Windows 2003 Servers for Disabled USB Drives and AutoRun CD-ROM

Many organizations have IT configuration polices that require CDs and USB drives to be disabled. This blog entry discusses a simple way to use a Nessus 3 .audit file to test a Windows 2003 server for the correct registry settings that disable "AutoRun" of programs on CDs as well as disables USB drives.

Windows 2003 Registry Settings

On Windows 2003 servers, the following registry setting controls "AutoRun" for CD drives:


If the item "AutoRun" is set to zero, then the system won't run CDs when they are inserted into the server. Below is a screen shot, with the "AutoRun" item circled, of a Windows 2003 server's registry settings using the regedit.exe tool:


To disable USB drives, the following registry setting should be set to a value of "4":


According to Microsoft Knowledge Base #823732, systems that have this setting in place will have their USB drives completely disabled. Please note that this registry setting only applies to USB storage devices that are being installed and have no effect on devices already attached to a server.

Example .audit File

The following is a self-contained .audit file which tests the registry settings to have CD-ROM "AutoRun" and USB drives disabled:

<check_type: "Windows">
<group_policy: "Audits Windows 2003 Systems for AutoRun and USB storage devices being disabled">

        type: REGISTRY_SETTING
        description: "CD AutoRun Disabled"
        value_type: POLICY_DWORD
        value_data: 0
        reg_key: "HKLM\SYSTEM\CurrentControlSet\Services\Cdrom"
        reg_item: "AutoRun"
        reg_type: REG_DWORD

      description: "USB Storage Devices Are disabled"
      value_type: POLICY_DWORD 
      value_data: 4
      reg_key: "HKLM\SYSTEM\CurrentControlSet\Services\UsbStor"
      reg_item: "start"
      reg_type: REG_DWORD


Click below to download the example .audit file:

Download autorun-disabled.audit

Using this .audit file with Nessus 3 For Windows

Nessus 3 Direct Feed subscribers can save the above .audit file to their local computer. They should then create a scan policy which makes use of this .audit file and has the appropriate credentials to read the registry of the audited systems.

If an existing scan policy with the right credentials is available, consider adding this .audit file as a second or third policy. Each scan policy can have up to 5 separate UNIX and Windows .audit files.

Below is a screen shot of an example report generated by the above .audit file from a test Windows 2003 server.


Vulnerability ID #21157 is the value assigned to all Windows compliance audit results. In the results, it can be seen that CD-ROM "AutoRun" has indeed been disabled, but USB storage devices are enabled with a value of "3".

Using this .audit file with the Security Center

Security Center users should have their administrator save the .audit file to the /opt/sc3/admin/nasl directory, and then restart the Security Center to ensure it gets pushed out to all of the managed Nessus scanners.

To make use of the new .audit file, either a new scanning policy should be created with the proper Windows credentials that makes use of the new .audit file, or this new .audit file should be added to an existing scanning policy. Like Nessus 3, scanning policies in the Security Center can also use multiple .audit files.

Below is a screen shot of the results of a scan against the same Windows 2003 server we tested above with Nessus 3.


Since these compliance results have been imported into the Security Center, they have been given unique IDs of #60186 and #60187. The Security Center interprets Nessus plugin IDs #21156 (UNIX) and #21157 (Windows)  as "compliance" IDs and re-maps these to IDs greater than 65000. This allows for unique reporting, ticketing, dynamic asset list creation and tracking for unique compliance issues. 

For More Information

Tenable has placed several dozen .audit files online which can perform comprehensive audits of UNIX and Windows systems. These polices are derived from the United States CERT, NIST and NSA organization's guides for locking down UNIX and Windows servers. Documentation and tools are also located at that site which can be used to create your own policies. Compliance audits with Nessus 3 are available to all Direct Feed subscribers and Security Center users.

Subscribe to the Tenable Blog

Try for Free Buy Now

Try Tenable.io Vulnerability Management


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.