Auto-run disabled on all endpoints
Demonstrate that AutoRun and AutoPlay functionality is disabled on all Windows endpoints through Group Policy or equivalent configuration management to prevent automatic execution of potentially malicious code from external media and network sources.
Description
What this control does
This control ensures that Windows AutoRun and AutoPlay features are disabled across all endpoint devices to prevent automatic execution of code from removable media, network shares, and external devices. AutoRun automatically executes commands from an autorun.inf file when media is inserted, while AutoPlay prompts users to select a default action for content types. Disabling these features prevents malware from executing without user interaction when infected USB drives, optical media, or network locations are accessed.
Control objective
What auditing this proves
Demonstrate that AutoRun and AutoPlay functionality is disabled on all Windows endpoints through Group Policy or equivalent configuration management to prevent automatic execution of potentially malicious code from external media and network sources.
Associated risks
Risks this control addresses
- USB-based malware automatically executes when infected removable media is connected to an endpoint, bypassing user awareness and consent
- Worm propagation through network shares exploiting AutoRun to spread laterally across the environment without requiring user interaction
- Social engineering attacks leveraging deceptive autorun.inf files that masquerade malicious executables as legitimate content handlers
- Physical access attacks where adversaries insert pre-configured USB devices that automatically deploy backdoors or data exfiltration tools
- Insider threats simplified through use of USB-based attack tools that require no technical sophistication to deploy
- Compromise of air-gapped systems via infected removable media that executes payloads automatically upon insertion
- Ransomware deployment accelerated through automatic execution from compromised shared network drives or external storage
Testing procedure
How an auditor verifies this control
- Obtain and review the current Group Policy Object (GPO) settings or endpoint management configuration templates that control AutoRun and AutoPlay behavior across the organization.
- Export registry settings for AutoRun-related keys (HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer and HKCUSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer) from a representative sample of endpoints across different organizational units and device types.
- Select a stratified random sample of at least 15-25 endpoints representing different departments, operating system versions, and deployment methods (domain-joined, workgroup, mobile).
- Connect to each sampled endpoint and verify the NoDriveTypeAutoRun registry value is set to 0xFF (255 decimal) to disable AutoRun for all drive types.
- Verify that DisableAutoplay registry value is set to 0xFF (255 decimal) or that Group Policy setting 'Turn off AutoPlay' is configured for 'All drives'.
- Physically test a subset of endpoints by inserting a controlled USB device containing a benign autorun.inf file to confirm no automatic execution or prompt occurs.
- Review endpoint management system compliance reports or configuration baselines to identify any devices reporting non-compliant AutoRun settings.
- Interview IT operations staff to confirm processes exist for maintaining AutoRun disabled state during system imaging, updates, and exception handling.
Where this control is tested