Detections
Analytics

CSCv6|8.3

Title

Limit use of external devices to those with an approved, documented business need.

Description

Limit use of external devices to those with an approved, documented business need. Monitor for use and attempted use of external devices. Configure laptops, workstations, and servers so that they will not auto-run content from removable media, like USB tokens (i.e., 'thumb drives'), USB hard drives, CDs/DVDs, FireWire devices, external serial advanced technology attachment devices, and mounted network shares. Configure systems so that they automatically conduct an anti-malware scan of removable media when inserted.

Reference Item Details

Category: Malware Defenses

Family: System

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.1.2.1.23 Configure 'Devices: Restrict CD-ROM access to locally logged-on user only'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.23 Configure 'Devices: Restrict CD-ROM access to locally logged-on user only'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.35 Set 'Devices: Allowed to format and eject removable media' to 'Administrators'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.35 Set 'Devices: Allowed to format and eject removable media' to 'Administrators'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.67 Configure 'Devices: Restrict floppy access to locally logged-on user only'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.67 Configure 'Devices: Restrict floppy access to locally logged-on user only'WindowsCIS Windows 2003 MS v3.1.0
1.1.2.46 Set 'Audit Policy: Object Access: Removable Storage' to 'No Auditing'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.4.2 Configure 'Devices: Restrict floppy access to locally logged-on user only'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.4.3 Set 'Devices: Allowed to format and eject removable media' to 'Administrators and Interactive Users'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.4.4 Configure 'Devices: Restrict CD-ROM access to locally loggedon user only'WindowsCIS Windows 8 L1 v1.0.0
1.1.21 Disable AutomountingUnixCIS Debian 8 Workstation L2 v2.0.1
1.1.21 Disable AutomountingUnixCIS Ubuntu Linux 16.04 LTS Server L1 v1.1.0
1.1.21 Disable AutomountingUnixCIS Debian 8 Server L1 v2.0.1
1.1.21 Disable AutomountingUnixCIS Debian 8 Workstation L2 v2.0.2
1.1.21 Disable AutomountingUnixCIS Debian 8 Server L1 v2.0.2
1.1.21 Disable AutomountingUnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
1.1.21 Disable AutomountingUnixCIS Ubuntu Linux 16.04 LTS Workstation L2 v1.1.0
1.1.22 Disable AutomountingUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.0.1
1.1.22 Disable AutomountingUnixCIS Ubuntu Linux 18.04 LXD Host L1 Server v1.0.0
1.1.22 Disable AutomountingUnixCIS Ubuntu Linux 18.04 LTS Workstation L2 v2.0.1
1.1.22 Disable AutomountingUnixCIS SUSE Linux Enterprise Workstation 11 L2 v2.1.0
1.1.22 Disable AutomountingUnixCIS Distribution Independent Linux Server L1 v2.0.0
1.1.22 Disable AutomountingUnixCIS Distribution Independent Linux Workstation L2 v2.0.0
1.1.23 Disable AutomountingUnixCIS Ubuntu Linux 18.04 LTS Workstation L2 v2.1.0
1.1.23 Disable AutomountingUnixCIS Ubuntu Linux 20.04 LTS Server L1 v1.1.0
1.1.23 Disable AutomountingUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
1.1.23 Disable AutomountingUnixCIS Ubuntu Linux 20.04 LTS Workstation L2 v1.1.0
1.1.23 Disable USB Storage - lsmodUnixCIS Distribution Independent Linux Server L1 v2.0.0
1.1.23 Disable USB Storage - lsmodUnixCIS Distribution Independent Linux Workstation L2 v2.0.0
1.1.23 Disable USB Storage - modprobeUnixCIS Distribution Independent Linux Server L1 v2.0.0
1.1.23 Disable USB Storage - modprobeUnixCIS Distribution Independent Linux Workstation L2 v2.0.0
1.1.26 Disable AutomountingUnixCIS Distribution Independent Linux Workstation L2 v1.1.0
1.1.26 Disable AutomountingUnixCIS Distribution Independent Linux Server L1 v1.1.0
1.2.4.1.1 Set 'Turn off Autoplay on' to 'Enabled:All drives'WindowsCIS Windows 8 L1 v1.0.0
1.9.8 Devices: Allowed to format and eject removable mediaWindowsCIS Windows 2008 Enterprise v1.2.0
1.9.8 Devices: Allowed to format and eject removable mediaWindowsCIS Windows 2008 SSLF v1.2.0
1.9.10 Devices: Restrict CD-ROM access to locally logged-on user onlyWindowsCIS Windows 2008 SSLF v1.2.0
1.9.10 Devices: Restrict CD-ROM access to locally logged-on user onlyWindowsCIS Windows 2008 Enterprise v1.2.0
1.9.11 Devices: Restrict floppy access to locally logged-on user onlyWindowsCIS Windows 2008 Enterprise v1.2.0
1.9.11 Devices: Restrict floppy access to locally logged-on user onlyWindowsCIS Windows 2008 SSLF v1.2.0
17.3.1 (L1) Ensure 'Audit PNP Activity' is set to include 'Success'WindowsCIS Microsoft Windows 10 Enterprise (Release 1803) v1.5.0 Level 1
17.3.1 Ensure 'Audit PNP Activity' is set to include 'Success'WindowsCIS Microsoft Windows 10 Enterprise (Release 20H2) v1.10.1 L1 + BL + NG
17.3.1 Ensure 'Audit PNP Activity' is set to include 'Success'WindowsCIS Microsoft Windows 10 Enterprise (Release 1903) v1.7.1 L1 + BL + NG
17.3.1 Ensure 'Audit PNP Activity' is set to include 'Success'WindowsCIS Microsoft Windows 10 Enterprise (Release 21H1) v1.11.0 L1 + BL
17.3.1 Ensure 'Audit PNP Activity' is set to include 'Success'WindowsCIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 L1
17.3.1 Ensure 'Audit PNP Activity' is set to include 'Success'WindowsCIS Microsoft Windows 10 Enterprise (Release 2004) v1.9.1 L1 + BL
17.3.1 Ensure 'Audit PNP Activity' is set to include 'Success'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + NG
17.3.1 Ensure 'Audit PNP Activity' is set to include 'Success'WindowsCIS Microsoft Windows 10 Enterprise (Release 20H2) v1.10.1 L1 + NG
17.3.1 Ensure 'Audit PNP Activity' is set to include 'Success'WindowsCIS Microsoft Windows 10 Enterprise (Release 1909) v1.8.1 L1 + BL
17.3.1 Ensure 'Audit PNP Activity' is set to include 'Success'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL + NG