AutoRun and the companion feature AutoPlay are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted. The main purpose of AutoRun is to provide helpful actions and capabilities when removable media or network shares are mounted. When such a device is mounted, the autorun.inf file from the media is parsed. This file specifies which commands the system should run. Many companies use this functionality to automatically start up their installers when a CD-ROM is inserted, but attackers can also use it to run data extraction sessions or automatic installations of malware.

AutoRun and AutoPlay can be friendly features, but they are almost never necessary in an enterprise environment.  The security risk typically far outweighs any benefit.

All AutoRun/AutoPlay features are controlled by values stored in the Windows registry. There are a number of ways to set these values, including

• Group Policy
• Double-clicking a .REG file containing registry settings

Disabling AutoRun Using Group Policy

If you think that Windows Group Policy would be the most convenient and thorough way to distribute such a policy, you’d be partly right. The only gotcha is that a number of people report that it doesn’t always get every machine. I’d recommend both belt and suspenders—use a GPO to catch future machines, but set each existing machine by hand to make sure none fall through the cracks today.

Before configuring Group Policy, you must ensure that one of the following updates has been applied to each of the machines you intend to configure. Note that only one update applies to each machine.

• Update for Windows Server 2003 for Itanium-based Systems (KB967715)
• Update for Windows Server 2003 x64 Edition (KB967715)
• Update for Windows Server 2003 (KB967715)
• Update for Windows XP x64 Edition (KB967715)
• Update for Windows 2000 (KB967715)
• Windows Vista-based and Windows Server 2008-based systems must have update 950582 (Security bulletin MS08-038) installed to take advantage of the registry key settings that disable AutoRun.

This update will create a new registry entry, HonorAutorunSetting. Without the update, autorun.inf gets read even with AutoRun disabled, but simply does not execute any AutoPlay commands inside. This still allows attacks to be made using autorun.inf, and HonorAutorunSetting should be set to 1 to disable this. The default is 1 after the patch is applied.

To disable all AutoRun features in Windows Server 2003, Windows XP Professional and Windows 2000,

• Click Start, click Run, type gpmc.msc in the Open box, and then click OK. If you don’t yet have GPMC installed, do so first.
• Choose an appropriate Group Policy Object in the left pane (or create a new one and attach it in the appropriate place), right-click it, and select Edit.
• Under Computer Configuration, expand Administrative Templates, and then click System.
• In the Settings pane, right-click Turn off Autoplay, and then click Properties. Note: In Windows 2000, the policy setting is named Disable Autoplay.
• Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives.
• Click OK to close the Turn off Autoplay Properties dialog box.

Windows will propagate the group policy settings to all machines controlled by the edited Group Policy Object. Once the settings have been applied to a computer, it must be rebooted before the changes take effect.

Disabling AutoRun Using a Registry File

Create a file called autorun.reg containing the following lines.  Some of the lines here are long; make sure you don’t break them in the middle somewhere when you cut and paste the text below.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"HonorAutorunSetting"=dword:00000001
"NoDriveAutoRun"=dword:03ffffff
"NoDriveTypeAutoRun"=dword:000000ff

On each computer to be updated, browse to this file and double-click it. The computer must be rebooted for the changes to take effect.