Group Policy to disable Autorun

Fizzgig — Wed, 21 Jan 2009 10:59:10 +0000

Well, its been a while, but I thought I’d share this little snippet.

Theres a big hoo-ha going round at the minute about a number of viruses that are exploiting autorun.inf to spread.

You can read all the gorey details over at CERT “Microsoft Windows Does Not Disable AutoRun Properly”

Essentially, the recommended fix is to set a registry key. I did read somewhere that this makes windows handle the file as a Win95 ini file but sadly I can’t find the blog/article where I read that anymore.

Approaching this as a sysadmin and wanting to undertake minimal effort to resolve this issue I’ve create a Group Policy adm file to solve apply it to all the machines in an Active Directory domain. I’ve copied the contents below and attached the file to this post.

To use it:

Create a new group policy object in your AD
Edit it, right click on the Administrative Templates folder and remove all the default ones listed and add the one below.
Right click on the Administrative Templates folder and change the view filtering to not hide settings that can’t be fully managed
Group poicy editor will now display the setting to disable autorun which will set the appropriate registry key

ADM files are just text. You can either download the one below or copy and paste this (watch for the line wrap on the last line!):

; US-CERT Technical Cyber Security Alert TA09-020A -- Microsoft Windows Does Not Disable AutoRun Properly
; http://www.us-cert.gov/cas/techalerts/TA09-020A.html
;
;FIX:
;REGEDIT4
;   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
;   @="@SYS:DoesNotExist"
;
;
CLASS MACHINE
	CATEGORY !!RegistryFixes
		POLICY !!AutoRunInfSYSDoesNotExist
	        #if version >= 4
	            SUPPORTED !!SUPPORTED_WindowsXPSP2
	        #endif
	        EXPLAIN !!AutoRunInfSYSDoesNotExist_Help
	        KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf"
	        VALUENAME ""
	            VALUEON "@SYS:DoesNotExist"
	            VALUEOFF DELETE
    	END POLICY
    END CATEGORY ; DisableRemovableStorage
[strings]
RegistryFixes="Registry Settings"
SUPPORTED_WindowsXPSP2="Microsoft Windows XP Professional SP2 or later"
AutoRunInfSYSDoesNotExist="Disable auto handling of Autorun.inf"
AutoRunInfSYSDoesNotExist_Help="As per US-CERT Technical Cyber Security Alert TA09-020A -- Microsoft Windows Does Not Disable AutoRun Properly\n\n\nhttp://www.us-cert.gov/cas/techalerts/TA09-020A.html"

If you find this article useful, buy me a beer!

OpenDNS – free filtered DNS for the masses

Fizzgig — Mon, 11 Feb 2008 22:51:22 +0000

I’ve just started using a new (free) service called OpenDNS – http://www.opendns.com – at home and I’ve also set it up at work.

You need to know very little about How The Web Works™ to know that this can be a good thing.

DNS is where your computer takes a name like www.livejournal.com and turns it into a number that is used to route your computer to the right webserver.

OpenDNS doesn’t just give you the correct address for a website. It maintains a list of Phishing websites and redirects these to a safe page warning you about the site you were about to visit.

Of additional interest to me for its use at my work (and to parents who’s kids have access to the Internet) is that they don’t just categorise phishing websites, but they also have categories of adult and mature sites you can bar if you want (once you’ve signed up)

Took me a few minutes to setup (a little extra poking required at work, naturally). Very unintrusive – no software to install, just a couple of settings to change and they have lots of help pages on how to do that.

If you find this article useful, buy me a beer!

Arricc » security

Group Policy to disable Autorun

OpenDNS – free filtered DNS for the masses