In the wake of the Conficker worm spreading via removable storage devices among other methods, Microsoft said on Tuesday it is making a change to the way Windows 7 handles USB drives.
As a result of the change, most USB drives will not be able to automatically launch a program using a Windows feature known as AutoRun, Microsoft said in a post on its Security Research & Defense Blog.
So if an infected USB drive is inserted on a machine, the AutoRun task will not be displayed, Microsoft said.
Fixed removable media, such as CDs and DVDs will still be able to use AutoRun. Also, some specialised 'smart' USB flash drives such as those containing U3 software will still be able to appear as DVD drives, effectively allowing them to also use AutoRun, Microsoft cautioned.
The change will show up in the release candidate version of Windows 7 that is being released to developers this week and publicly on 5 May.
Microsoft said it is planning on making the change available on Windows Vista and Windows XP, as well.
In February, Microsoft released an update for Windows AutoRun that allows people to selectively disable the AutoRun functionality for drives on a system or network to provide more security. The update addressed an issue that prevented the NoDriveTypeAutoRun registry key from functioning as expected. Disabling AutoRun functionality can help prevent the execution of arbitrary code when a removable storage device is used.
The AutoRun functionality has been blamed for malware that has infected USB thumb drives, leading to a temporary ban on their use at the US Defense Department, and digital photo frames, among other storage types.
Microsoft detailed additional security features in Windows 7 during the RSA security conference last week.
Talkback
Great move Microsoft! This is increasing general awareness of the need to control and manage the usage of usb devices within businesses. Many of these business are in need of such solutions now - so they should seek a suitable device control solution. Lumension has now provided an implementation of its Device Control solution - Lumension Device Control for System Center (DCSC) -whereby Microsoft customers can now leverage Configuration Manager 2007’s powerful centralised management capabilities to deploy and enforce device control and data encryption policies in both physical and virtual environments.
The Lumension DCSC seamlessly integrates into the Configuration Manager 2007 environment, eliminating the need for Microsoft customers to implement separate hardware and software to employ data security across their network. Lumension DCSC allows customers to use the Configuration Manager 2007 console and standard user interface to create, deploy and monitor very granular device control policies across groups and devices managed by the System Center. Policies will be continually enforced even when systems are not connected to the System Center environment.
Additionally, organisations managing virtualized systems with Configuration Manager 2007 can use Lumension DCSC to enforce policy on the virtual USB and CD/DVD hardware. The same policy and enforcement capabilities are supported for both host (physical) and guest (virtual) systems.
This provides an immediate solution to one of the biggest challenges that organisations are facing in implementing adequate data lleakage controls.