Re: Basic Windows Security Question

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2005-03-31 David Gillett wrote:
>   I think we're overdue for a "don't permit code execution from
> removable R/W devices" OS security policy entry.  Doesn't matter
> whether it's a floppy, a thumb drive, a USB/firewire hard drive....
>   (The 'R/W' qualifier is to allow autorun CDs to be handled
> separately.)

I have to disagree with that. There is (almost) no point in preventing
execution of files on removable media since a user could copy the
executable file to his %USERPROFILE% (or someplace else he can write to)
and execute it from there. Plus I don't see why one would want to handle
CD-R differently from other media. Malware may just as well reside on a
user-burnt CD as it may on a USB stick or something else. What you
really want (from a security point of view) is to prevent autoplay in
general. Automatic execution of code is evil. You may also want to
whitelist the executables users are allowed to run.

For Windows 2000/XP there is a policy to prevent autoplay all drives
(both user and computer configuration: administrative templates\system).
Also you have Software Restriction Policies that allow for whitelisting
of executables.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security 
professionals.  Norwich University is fulfilling this demand with its MS in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn your 
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------