While it can be exploited via network or webdav shares, it is removable drives that are the most likely vector for exploitation. A big part of that is our old friend, autorun, that has been the cause of problems before.
If you haven't yet disabled autorun in your organization, I strongly suggest you look into it. Microsoft have some details on how to accomplish this here:
- How to disable the Autorun functionality in Windows
- How to correct "disable Autorun registry key" enforcement in Windows
Well, it turns out that Windows will override this setting if you insert a USB drive that your computer has already seen. I received an email from Susan Bradley that links to an article on Nick Brown's blog, "Memory sitck worms." Nick mentions the MountPoints2 registry key, which keeps track of all USB drives your computer has ever seen. I'll admit, I didn't know this existed! I'm glad Nick wrote about it, though.
Nick also includes a little hack that effectively disables all files named "autorun.inf." Interesting, but something in me prefers to make Windows just plain forget about all the drives it's seen. So now I will amend my instructions. In addition to what I wrote earlier, you should also write a small script, and execute it through group policy, that deletes the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
I hadn't seen that registry key mentioned before, but it looks well worth investigating...
0 comments:
Post a Comment