IG1 IG2 IG3

Disable Autorun and Autoplay for Removable Media

Control Group: 10. Malware Defenses

Asset Type: Devices

Security Function: Protect

Description

Disable autorun and autoplay auto-execute functionality for removable media.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

Tool Recommendations

Microsoft Intune Gartner MQ Leader, UEM 2024

Unified endpoint management platform for device enrollment, software deployment, configuration, and compliance across Windows, macOS, iOS, and Android

Microsoft · Per-user/per-device subscription

VMware Workspace ONE Gartner MQ Leader, UEM 2024

Digital workspace platform combining UEM with virtual app delivery and zero-trust access for endpoint management

Broadcom (VMware) · Per-device subscription

CrowdStrike Falcon Gartner MQ Leader, EPP 2024; Forrester Wave Leader, XDR 2024

Cloud-native endpoint protection platform with next-gen AV, EDR, threat intelligence, and managed hunting

CrowdStrike · Per-endpoint subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

USB-Based Malware Auto-Execution

Integrity

Malware-laden USB devices automatically execute malicious payloads when inserted into systems with autorun enabled, a technique used in targeted attacks (Stuxnet-style) and opportunistic campaigns where infected USB drives are distributed in public areas.

Removable Media Worm Propagation

Availability

Self-propagating worms spread across the enterprise via removable media by leveraging autorun functionality to copy themselves to every USB device inserted, then executing automatically on each new system the device connects to.

Social Engineering via Dropped USB Devices

Confidentiality

Attackers deliberately leave infected USB drives in parking lots, lobbies, or conference rooms, and autorun functionality causes malicious payloads to execute immediately when curious employees insert the devices into their workstations.

Vulnerabilities (When Safeguard Absent)

Autorun and Autoplay Enabled on Enterprise Assets

Windows autorun and autoplay features remain enabled at default settings, allowing removable media to automatically execute programs, scripts, or installers without requiring explicit user action beyond inserting the device.

No Group Policy Enforcement Disabling Auto-Execute

Group policies or configuration management tools have not been configured to disable autorun and autoplay across all enterprise assets, leaving systems vulnerable to automatic execution of removable media content.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Anti-Malware Policy

Control 10

Removable Media Policy

Control 10

Related Safeguards in Control 10

10.1 Deploy and Maintain Anti>Malware Software

10.2 Configure Automatic Anti>Malware Signature Updates

10.4 Configure Automatic Anti>Malware Scanning of Removable Media

10.5 Enable Anti>Exploitation Features

10.6 Centrally Manage Anti>Malware Software

10.7 Use Behavior>Based Anti>Malware Software