Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Auditing Windows 2003 Servers for Disabled USB Drives and AutoRun CD-ROM

Many organizations have IT configuration polices that require CDs and USB drives to be disabled. This blog entry discusses a simple way to use a Nessus 3 .audit file to test a Windows 2003 server for the correct registry settings that disable "AutoRun" of programs on CDs as well as disables USB drives.

Windows 2003 Registry Settings

On Windows 2003 servers, the following registry setting controls "AutoRun" for CD drives:

HKLM\SYSTEM\CurrentControlSet\Services\Cdrom

If the item "AutoRun" is set to zero, then the system won't run CDs when they are inserted into the server. Below is a screen shot, with the "AutoRun" item circled, of a Windows 2003 server's registry settings using the regedit.exe tool:

Cdauditw2003reg

To disable USB drives, the following registry setting should be set to a value of "4":

HKLM\SYSTEM\CurrentControlSet\Services\UsbStor\start=4

According to Microsoft Knowledge Base #823732, systems that have this setting in place will have their USB drives completely disabled. Please note that this registry setting only applies to USB storage devices that are being installed and have no effect on devices already attached to a server.

Example .audit File

The following is a self-contained .audit file which tests the registry settings to have CD-ROM "AutoRun" and USB drives disabled:

<check_type: "Windows">
<group_policy: "Audits Windows 2003 Systems for AutoRun and USB storage devices being disabled">

<custom_item>
        type: REGISTRY_SETTING
        description: "CD AutoRun Disabled"
        value_type: POLICY_DWORD
        value_data: 0
        reg_key: "HKLM\SYSTEM\CurrentControlSet\Services\Cdrom"
        reg_item: "AutoRun"
        reg_type: REG_DWORD
</item>

<custom_item>
       type: REGISTRY_SETTING
      description: "USB Storage Devices Are disabled"
      value_type: POLICY_DWORD 
      value_data: 4
      reg_key: "HKLM\SYSTEM\CurrentControlSet\Services\UsbStor"
      reg_item: "start"
      reg_type: REG_DWORD
</item>

</group_policy>
</check_type>

Click below to download the example .audit file:

Download autorun-disabled.audit

Using this .audit file with Nessus 3 For Windows

Nessus 3 Direct Feed subscribers can save the above .audit file to their local computer. They should then create a scan policy which makes use of this .audit file and has the appropriate credentials to read the registry of the audited systems.

If an existing scan policy with the right credentials is available, consider adding this .audit file as a second or third policy. Each scan policy can have up to 5 separate UNIX and Windows .audit files.

Below is a screen shot of an example report generated by the above .audit file from a test Windows 2003 server.

Cdauditnessus3report_1

Vulnerability ID #21157 is the value assigned to all Windows compliance audit results. In the results, it can be seen that CD-ROM "AutoRun" has indeed been disabled, but USB storage devices are enabled with a value of "3".

Using this .audit file with the Security Center

Security Center users should have their administrator save the .audit file to the /opt/sc3/admin/nasl directory, and then restart the Security Center to ensure it gets pushed out to all of the managed Nessus scanners.

To make use of the new .audit file, either a new scanning policy should be created with the proper Windows credentials that makes use of the new .audit file, or this new .audit file should be added to an existing scanning policy. Like Nessus 3, scanning policies in the Security Center can also use multiple .audit files.

Below is a screen shot of the results of a scan against the same Windows 2003 server we tested above with Nessus 3.

Cdauditsc3_1

Since these compliance results have been imported into the Security Center, they have been given unique IDs of #60186 and #60187. The Security Center interprets Nessus plugin IDs #21156 (UNIX) and #21157 (Windows)  as "compliance" IDs and re-maps these to IDs greater than 65000. This allows for unique reporting, ticketing, dynamic asset list creation and tracking for unique compliance issues. 

For More Information

Tenable has placed several dozen .audit files online which can perform comprehensive audits of UNIX and Windows systems. These polices are derived from the United States CERT, NIST and NSA organization's guides for locking down UNIX and Windows servers. Documentation and tools are also located at that site which can be used to create your own policies. Compliance audits with Nessus 3 are available to all Direct Feed subscribers and Security Center users.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training