Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Disabling autorun for mapped network drives

from [Jesse Eaton] Network Security [Permanent Link]
Subject: RE: Disabling autorun for mapped network drives
Date: Thu, 26 Jul 2007 19:17:40 +0200 
It's standard practice to disable autorun functionality for all our client
machines. You can set the local policy on a machine before imaging it. Then
all client builds that roll out will be set up.

Or you can set up a GPO, if you're in a domain environment. Enabling the
following Group Policy will do the trick:
User Config/Administrative Templates/System/Turn off Autoplay

Enable it for All Drives.

Also, McAfee VirusScan Enterprise default Access Protection rules block
autorun.inf's from running on protected machines. And you can manage McAfee
policies through ePO.

Or you can push a .reg file to all your machines to disable auto run. A
query by your favorite search engine will show you the values to edit...
Hope this helps.

-Jesse


-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Johnny Wong
Sent: Thursday, July 26, 2007 4:03 AM
To: security-basics@securityfocus.com
Subject: Disabling autorun for mapped network drives

Hello all,

Over the past few months, we have faced situations where user PCs were
infected with virus when they connect to network mapped drives. 
What happened was that the virus creates "autorun.inf" in the root of the
shared network drive, so users who double-click the drive in Explorer, the
autorun.inf executes the linked virus-infected executable. Evem though the
user PCs have anti-virus installed, the incidents we faced so far, the virus
was not detectable. It was realised later that the virus was a new strain.

We have tried to disable the mapped-drives autorun feature (based on
registry key settings); however, it was not foolproof because the
autorun.inf was still able to execute in some cases. We found later from
Microsoft's KB (http://support.microsoft.com/kb/933008) that this registry
setting may not work. So we did not roll out this registry settings to the
users.

Anyone of you facing the same situation as me? I can only think of the
following solutions:

- keep AV signatures updated - this is not foolproof because most of the
time, the virus writers are leading the game. So we can only try to send the
first specimen we find ASAP to the AV vendors so that they could develop
signatures for them. Guessed by that time, a number of users would have been
infected.

- run a task on the file server that regularly checks for presence of
autorun.inf in the root of the shared folders, and if found, rename or
delete them. Implementation of this task will impact the performance of the
server when it hosts a lot of shared folders.

Please share your workarounds if you have any.

Thank you,

JW
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Administrators & Power Users, Tinu Koshy (CISD)
Next by Date:  Re: New Spam Delivery Technique, Ansgar -59cobalt- Wiechers
Previous by Thread:  Disabling autorun for mapped network drives, Johnny Wong
Next by Thread:  Re: Disabling autorun for mapped network drives, Ansgar -59cobalt- Wiechers
Indexes:  [Date] [Thread] [Top] [All Lists]