Mitigating Removable Storage Infection Vector Using Group Policy

Removable storage is a very common malware infection vector. While Group Policy allows for fully disabling removable storage, this is not always possible due to usability requirements. 

This post outlines what we can do in an Active Directory environment to mitigate this threat. 

In most cases malware exploits some sort of autoplay feature in order to execute itself and infect a system.

There are three interesting settings we can find in Group Policy that can help us mitigate this threat.

They can be found under "Computer Configuration">"Administrative Templates">"Windows Components">"AutoPlay Policies"



Above configuration disables all autoplay and autorun features, effectively preventing anything from being automatically run.

Another interesting setting is found under "Computer Configuration">"Administrative Templates">"Windows Components">"Removable Storage Access"



 This setting prevents executables or scripts from being executed directly from removable storage device.

Combined, above settings, improve our defences against malware.

No comments:

Post a Comment