3.11.6.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'

Information

This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines.

The recommended state for this setting is: Enabled: Do not execute any autorun commands

Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: Do not execute any autorun commands

Administrative Templates\Windows Components\AutoPlay Policies\Set the default behavior for AutoRun

Impact:

AutoRun commands will be completely disabled.

See Also

https://workbench.cisecurity.org/benchmarks/16853

Item Details

Category: MEDIA PROTECTION

References: 800-53|MP-7, CSCv7|8.5

Plugin: Windows

Control ID: 83603c735b7d77b8ccb545d4a30582bed53c7e6f35ed84c7f9d29f1a320857f3