tag:blogger.com,1999:blog-9518042.post4346926837112123542..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Honor Thy SettingsUnknownnoreply@blogger.comBlogger6125tag:blogger.com,1999:blog-9518042.post-54411710860548949112008-12-05T13:51:00.000-05:002008-12-05T13:51:00.000-05:00Harlan - Yep. Already had planned on doing that (...Harlan - Yep. Already had planned on doing that (MS fix) on all our systems over the weekend. Thank you!<BR/><BR/>Hogfy - Wonderful tips! I use a Kanguru device and use the switch often. I will have to look specifically for that feature when I pick up a USB drive for her and show her how/when to use it.<BR/><BR/>Also like the suggestion on making the renamed folder. Clever!<BR/><BR/>Thanks gentlemen! And great/timely post!<BR/><BR/>--Cheers!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-72438058715311913862008-12-05T10:58:00.000-05:002008-12-05T10:58:00.000-05:00There are ways to mitigate risk on a usb stick.1) ...There are ways to mitigate risk on a usb stick.<BR/><BR/>1) Buy one with a write block switch. Kanguru sells these.<BR/><BR/>2) Create a directory(yes a directory) named Autorun.inf. This is known to help mitigate the ability of the malware to write to the drive.<BR/><BR/>3) Disable Autorun using group policy on your computers and force the following registry change:<BR/>REGEDIT4<BR/>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]<BR/>@="@SYS:DoesNotExist"<BR/><BR/>These steps work.<BR/><BR/>And it is completely reasonable for you to question the schools.hogflyhttps://www.blogger.com/profile/00741773109962883616noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-49114575738545417642008-12-05T10:46:00.000-05:002008-12-05T10:46:00.000-05:00Claus,4) Need to figure out a "reasonable" way for...Claus,<BR/><BR/><I>4) Need to figure out a "reasonable" way for daughter-unit to use a USB drive between school/friends houses/systems and our own but that will minimize chance of infecting our own.</I><BR/><BR/>Read the blog post. No automagical execution of autorun.inf files once set...you can even set the specific drive types to which it applies. Set in the HKLM hive. AV is secondary solution. <BR/><BR/>What I'd love to do is be able to set admin-defined actions to occur based on an event on the system, much like WFP, rather than as a scheduled task...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-16811083192369640822008-12-05T09:51:00.000-05:002008-12-05T09:51:00.000-05:00Harlan,From a sysadmin perspective I'm 100% on boa...Harlan,<BR/><BR/>From a sysadmin perspective I'm 100% on board.<BR/><BR/>However, from a "consumer/dad" perspective I'm I bit more frustrated.<BR/><BR/>Daughter unit needed a USB stick to take to school to save work from a computer-lab if her assignment work wasn't completed. Asked a few days in advance and promptly forgot. Got in the car a few days later and remembered and asked her about it. She said she had the forethought to grab one of our old/small USB sticks (32MB?) and had it with her.<BR/><BR/>I had to confiscate it with regret.<BR/><BR/>1) I didn't know what of our data was still on it and needed to "audit" it and remove anything of importance in case of loss/theft at the school.<BR/><BR/>2) I needed to make sure it was "clean" of any thing that might get her into trouble at school for "posessing" (forbidden utilities perhaps such as pentesting tools and other PUPS, etc.).<BR/><BR/>3) I have NO idea the condition of the lab-pc's she will be using at school. Don't know how their IT department maintains them, what AV/AM software is used, how often they are scanned/checked for rootkits and other baddies, etc. So cross-infection of our systems could be a real possiblity.<BR/><BR/>4) Need to figure out a "reasonable" way for daughter-unit to use a USB drive between school/friends houses/systems and our own but that will minimize chance of infecting our own. Going to have to spend time looking at my new AV/AM software to check out automatic detection and scanning/access settings for removable (USB) devices.<BR/><BR/>(Sigh) <BR/><BR/>It's hard being an IT dude AND a dad these days. Oh to be blissfully unaware....<BR/><BR/>Would it be appropriate and reasonable to visit the school one day to request information on their IT policy and audit/security procedures? Or would that just freak them out as some kind of pen-test attack?<BR/><BR/>I'm curious how many families even think about these things as a threat risk. I know I certainly do....Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-4137551469710307762008-12-05T08:31:00.000-05:002008-12-05T08:31:00.000-05:00Like a lot of other things, this appears to be som...Like a lot of other things, this appears to be something where MS has had the information posted, and then during some kind of investigation, someone found out that the settings were not working. At that point, most likely due to the visibility of the 'victim', MS was engaged, and now there's a fix to the fix, one where you need to (a) install an update, and then (b) create and set a Registry value.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-3622193613215318482008-12-05T08:26:00.000-05:002008-12-05T08:26:00.000-05:00I've been dealing with incidents involving USB mal...I've been dealing with incidents involving USB malware for over two months straight now. 10% of everything, if not more now is capable of this method of spreading. Autorun needs to be disabled in every system. I discussed this in a few posts for the responder, but it applies to the end user/sysadmin as well.hogflyhttps://www.blogger.com/profile/00741773109962883616noreply@blogger.com