Task 2.6: Securing Hardware Devices
One of the biggest challenges that a security administrator faces is that of users connecting devices to the systems you are hired to protect. These rogue devices, such as USB thumb drives, can be used to introduce unlicensed software and malware onto the computer system and to take sensitive information away from the office. These devices can be used as an attack vector by bad guys, causing backdoor or rootkit software to execute without the user’s knowledge or desire.
The U3 system installed on USB thumb drives makes the USB drive appear to the operating system as a CD-ROM drive. The CD-ROM drive by default is configured to launch the autorun.ini script if the autorun.ini script is found in the root of the CD-ROM drive. This script can be altered to launch executables without user knowledge or intervention.
The U3 system can be installed onto a thumb drive by using the U3 LaunchPad Installer utility that can be downloaded from http://u3.sandisk.com/download/apps/LPInstaller.exe.
Scenario
A coworker finds a thumb drive and plugs it into his office computer to see what is on it. Within a day he is unable to print to his desktop printer, he can’t seem to find those files that were on the hard drive yesterday, and the only website he can connect to is www.boboville.com.
Your coworker just got pwned. Pwned is hacker jargon meaning that someone has taken advantage and control of a victim and his computer system. (The term pwned is thought to be the result of a simple typo of the word owned, since the key for the letter P is adjacent to the key for the letter O.)
After repairing the computer, you must make sure this type of event doesn’t ever happen again.
Scope of Task
Duration
This task should take 30 minutes.
Setup
You will configure the system to ensure that executables—and in the case we’re considering, virus-infected executables—do not autoexecute just because a device is connected to the computer. The second part of this security measure is to disable the user’s ability to connect removable media devices to his computer systems. The third part of this security measure is to teach unwitting users about the dangers of connecting foreign and unapproved devices to their computer systems. This is usually handled in security-awareness training, which should be an annual requirement for all employees.
Caveat
This procedure requires the direct editing of the Registry. Improper editing of the Registry can cause applications and the operating system to hang or crash.
In addition, you will be creating and modifying an Active Directory Group Policy Object (GPO). The GPO is a powerful tool used to configure settings on large numbers of computers and users in the AD environment. Misconfiguring the GPO can lead to serious complications for AD users. Specifically, the GPO settings described in the following procedure will tattoo the Registry on the computers that the GPO is applied to. In Windows NT, system policies wrote their settings into files on the hard drive, making them persistent (tattooed). Most GPO settings do not tattoo the Registry in Windows 2000 and above, but some GPO settings do. For these few persistent settings, simply removing the GPO will not remove the applied settings. You will need to reverse the settings of the GPO and apply the new GPO in AD, which will tattoo the affected computers’ settings again. Then you can remove the GPO.
Procedure
You will begin to secure hardware devices by disabling the autorun function that runs the autorun.ini file in the root of CD-ROM drives. Next you will create and import an administrative template into a Windows GPO that can be used to disable USB, floppy, CD-ROM, and LS-120 removable media drives for systems in an AD environment.
Equipment Used
For this task, you must have:
- Any Windows XP or Windows Server 2003 system
- Windows Server 2003 domain controller
- Domain Administrator access
Details
Disabling the CD-ROM Autorun Function
1. Log on to a Windows XP or Windows Server 2003 system as a Local or Domain Administrator.
If Autorun is enabled for the CD-ROM drive, you can manually and selectively disable the Autorun function by pressing and holding the Shift key while you insert the CD-ROM disc. In Windows Vista and Windows 7 you can configure AutoPlay for media content by selecting Control Panel ⇒ Hardware And Sound ⇒ AutoPlay.
2. Select Start ⇒ Run and type regedit to launch Regedit. Click OK.
3. Expand the folders in the left pane: HKEY_LOCAL_MACHINE ⇒ System ⇒ CurrentControlSet ⇒ Services ⇒ Cdrom.
4. Notice that the Autorun setting in the right pane is set to a value of 1. This setting enables the Autorun function.
5. Double-click the Autorun value to open the Edit dialog box.
6. Change the Value Data setting from 1 to 0.
7. Click OK.
8. Double-check your configuration setting to verify that the Autorun value is now set to 0. This disables the CD-ROM Autorun function.
9. Close Regedit and restart the computer to effect the new setting.
Improper editing of the Registry could cause your system, applications, and/or processes to fail. Make changes only if you are certain of your actions.
Disabling External Storage Devices Using a GPO
1. Log on to a Windows Server 2003 domain controller as a Domain Administrator.
2. Open Notepad.exe.
3. Enter the following script into Notepad:
CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynameusb
KEYNAME "SYSTEMCurrentControlSetServicesUSBSTOR"
EXPLAIN !!explaintextusb
PART !!labeltextusb DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamecd
KEYNAME "SYSTEMCurrentControlSetServicesCdrom"
EXPLAIN !!explaintextcd
PART !!labeltextcd DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 1 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynameflpy
KEYNAME "SYSTEMCurrentControlSetServicesFlpydisk"
EXPLAIN !!explaintextflpy
PART !!labeltextflpy DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamels120
KEYNAME "SYSTEMCurrentControlSetServicesSfloppy"
EXPLAIN !!explaintextls120
PART !!labeltextls120 DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY
[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables USB ports by disabling usbstor.sys driver"
explaintextcd="Disables CD-ROM Drive by disabling cdrom.sys driver"
explaintextflpy="Disables Floppy Drive by disabling flpydisk.sys driver"
explaintextls120="Disables High Capacity Floppy Drive by disabling sfloppy.sys driver"
labeltextusb="Disable USB Ports"
labeltextcd="Disable CD-ROM Drive"
labeltextflpy="Disable Floppy Drive"
labeltextls120="Disable High Capacity Floppy Drive"
Enabled="Enabled"
Disabled="Disabled"
To copy and paste this script, rather than typing it manually, access the copy at http://support.microsoft.com/kb/555324.
4. Save the Notepad file as DisableExtStorage.adm. This is called an administrative (ADM) template. Verify the saved filename. Notepad has an annoying habit of adding a .txt extension to files. If the file has a second extension of .txt, remove the extraneous .txt extension.
5. Move (or copy) the DisableExtStorage.adm file to the Windowsinf folder on the Domain Controller computer.
6. Select Start ⇒ All Programs ⇒ Administrative Tools. Launch Active Directory Users And Computers.
7. Right-click on the domain name and select New ⇒ Organizational Unit.
8. Create a new OU named Bogus.
9. Right-click on the new Bogus OU and select Properties.
10. In the resulting dialog box, select the Group Policy tab and click the New button. Type the name Disable External Storage for the new GPO, and click the Edit button.
11. Right-click on Administrative Templates under Computer Configuration and select Add/Remove Templates.
12. Click the Add button and select the new ADM template named DisableExtStorage.adm. Click Open and then click Close.
13. Expand Computer Configuration ⇒ Administrative Templates. Notice the new Custom Policy Settings folder. This is the collection of settings you just added with the new ADM template.
14. Expand the Custom Policy Settings folder and click the Restrict Drives folder.
15. The new settings aren’t shown. Because of the tattooing nature of these settings, they are considered preference settings rather than the fully managed settings that do not tattoo the Registries of affected computers. You must enable the display of preference settings. To do so, select View ⇒ Filtering.
Remember that these new settings tattoo the Registry of affected computers by writing these changes to the Registry files on the target computer’s hard drive. To remove these settings, you must reverse the GPO settings and then reapply them to your computers.
16. Deselect the Only Show Policy Settings That Can Be Fully Managed check box, and then click OK.
17. You may need to expand the Custom Policy Settings folder and click on the Restrict Drives folder again. The GPO configuration settings will then be displayed for you, and you can disable external storage devices.
18. Double-click on the Disable USB Setting in the right pane.
19. To disallow affected computers from mounting connected USB drives, you must click the Enabled radio button and then select Enabled from the Disable USB Ports drop-down list.
20. Click OK to save and apply the setting.
21. You can disable additional floppy, CD-ROM, and LS-120 external storage devices in the same way.
22. Close the GPO by clicking the X in the upper-right corner of the GPO Editor window.
23. Click OK in the Bogus OU Properties dialog box. This setting will now be effective on any computer objects you place in the Bogus OU.
Microsoft provides a white paper on using ADM templates in GPOs. You can download it from www.microsoft.com/downloads/details.aspx?FamilyID=e7d72fa1-62fe-4358-8360-8774ea8db847&displaylang=en.
A technical reference document about ADM templates is available at http://go.microsoft.com/fwlink/?LinkId=35291.
Criteria for Completion
You have completed this task when you have disabled the CD-ROM Autorun function by using the Regedit utility and when you have created, added, and configured the ADM template to disable external storage devices in a GPO.