• On MovieTome: CAPTAIN AMERICA was in THE HULK?!?
March 15, 2008 10:19 PM PDT

USB flash drives need a condom

Posted by Michael Horowitz
  • Font size
  • Print

Many Windows users are annoyed by the Autoplay feature. But Leo Notenboom recently explained why it is dangerous, rather than annoying.

Many of us, when we run across an unknown USB flash drive (a.k.a. thumb drive, pen drive, memory stick, etc.) will stick it in a computer to see what's on the thing. It's at this point that Autoplay can screw you big time.

Unlike with CDs, Autoplay on a USB flash drive will run a program immediately, no questions asked. Quoting Leo "USB Thumbdrives or flash drives are a non-obvious but easy way to spread malware." The only thing most malicious software needs is for you to run the program. The Windows Autoplay feature, for flash drives, hands this service to the bad guys on a silver platter.

The question posed to Leo was "I found a USB thumb drive, plugged it in and now my system won't work. What happened?" His answer: the computer was probably infected with some type of malicious software.

Windows XP

To disable Autoplay totally, Leo suggests a free program from Microsoft for Windows XP called TweakUI. TweakUI is needed for Windows XP Home Edition users, but XP Professional can do this without the extra software (TweakUI will work on XP Professional).

The downloaded program, TweakUiPowertoySetup.exe, is only 146K. When you run the program it installs immediately, no questions asked, no decisions to be made. It does not create a desktop icon for itself, so you find it with Start -> All Programs -> Powertoys for Windows XP. To turn off AutoPlay system-wide, run TweakUI, start at My Computer -> Autoplay -> Types -> turn off the checkboxes.


Disabling Autoplay in Windows XP Professional with Group Policy

Windows XP Professional can disable Autoplay using the built-in Group Policy feature (see above). To invoke the Group Policy Editor, click the Start button, then Run and enter "gpedit.msc" without the quotes. Go to Computer Configuration -> Administrative Templates -> System. Scroll down to "Turn off Autoplay" and double click on it. It starts out in a "Not Configured" state. Click on the "Enabled" radio button, then for  "Turn off Autoplay on"   select "All drives".

Windows 2000

Windows 2000 does not, by default, Autoplay on USB flash drives. Nonetheless, it supports Group Policies that can be used to disable Autoplay system-wide. Quoting the operating system itself:

"By default, Autoplay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives. If you enable this policy, you can also disable Autoplay on CD-ROM drives, or disable Autoplay on all drives."

Disabling Autoplay in Windows 2000 with Group Policy

The procedure to disable Autoplay system-wide is very much like that in XP Professional. Click the Start button, then Run, and enter "gpedit.msc" without the quotes. Go to Computer Configuration -> Administrative Templates -> System. Scroll down to "Disable Autoplay" and double-click on it.

At this point, the terminology couldn't be any worse. What does it mean to disable the policy that disables Autoplay? Do two wrongs make a right? As shown above, enable the policy and then "Disable Autoplay on All drives."

Windows Vista

As with Windows XP, the expensive versions of Vista (Business and Ultimate) include a Group Policy editor. To run it, click the Start button and in the search box type "gpedit.msc" without the quotes. Browse to Windows Components, then to AutoPlay Policies. Change the value of "Turn off Autoplay" to enabled.

The cheap versions of Vista, such as Home Premium, can do this in the Control Panel. Under Hardware and Sound, click on "Play CDs or other media automatically." Then uncheck the checkbox for "Use AutoPlay for all media and devices."

Is This Enough?

I have seen reports online that the above measures are not sufficient to fully protect you from autorun/autoplay in all instances. I can't evaluate these claims for myself, but even if they are true, there is no doubt that you are safer disabling autorun as described above than you are not disabling it.

Update: March 16, 2008: Just for good luck, make a Restore Point before changing the Autoplay default. See Four tips to using System Restore on Windows XP.

Update: March 17, 2008: Added section on Windows 2000.

Update: August 27, 2008: Added section on Windows Vista.

See a summary of all my Defensive Computing postings.

Michael Horowitz is an independent computer consultant and the author of several classes on Defensive Computing. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure.
Topics:

Windows,

Software,

FYI

Tags:

Autoplay,

Windows,

USB flash drives

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from Defensive Computing
Fixing bugs in the Flash Player yet again
Getting more battery power for your computer
Get an MSI Wind Netbook for only $349
Not interested in a Netbook computer? Consider the Honda Fit
Beware emails linking to blogspot.com
When Word documents break
More about printer ink rip-offs
Some computers are too important to be networked
Add a Comment (Log in or register) 15 comments
by parispat March 16, 2008 1:29 AM PDT
Thanx for opening the door just a little bit wider into the arcane world of Windoze!

ParisPat
Reply to this comment
by ruminator March 17, 2008 7:41 AM PDT
What about XP Media Center?
Reply to this comment
by mhinnewyork March 17, 2008 9:59 AM PDT
I don't know about XP Media Center and don't have access to a copy to test with.
Michael
by Schmeddy September 3, 2008 9:17 AM PDT
Windows XP Media Center is just a specialized version of Windows Professional (is like Windows XP Pro+) therefore just follow the Windows Professional instructions.
by brocklin March 17, 2008 11:23 AM PDT
Autoplay has its valued uses, but glad there is a way to disable it for some devices.Having said that - isn't it kind of dumb to be attempting to place an 'unknown' USB or whatever on a system - seems to go against a standard rule of common sense. Guess this falls into the category of users who still open emails from unknowns which contain 'exe' and other obvious signs - these same folks seem to thin that using spyware and virus detection software is for woozies - yeah right.
Reply to this comment
by mhinnewyork March 17, 2008 2:55 PM PDT
To: brocklin

It is NOT DUMB to insert a USB flash drive into a computer. What is dumb is Microsoft changing the default from not allowing Autoplay on removable devices in Windows 2000 to allowing it in Windows XP. The bad guy here is Microsoft, for not protecting people and making it too easy for USB drives will auto-install malicious software. This would make a great Mac-vs-PC commercial.

Michael Horowitz
Reply to this comment
by ruminator March 17, 2008 11:30 PM PDT
It is BEYOND DUMB, double duh?, to put anything into anything else if you didn't know what that thing being inserted was... How could you, a defensive expert, argue otherwise? Would you pick up a glass of clear liquid and drink it without knowing what it was? The person who would insert an"UNKNOWN USB FLASH DRIVE" (your language) into a computer without knowing anything about it is not going to have the basic IQ to do what your blog suggests; the person with enough smarts to follow your simple precautions wouldn't be sticking unknown objects into anything.
Reply to this comment
by sachin_nn August 28, 2008 1:55 AM PDT
What can you do if one of ur friend gives you a pen drive to get some articles/docs for him/her from ur lappy/computer and if that has malicious s/w? Bcos you know it is from a know friend & ur friend is also unaware of that?
by A_N_Onymous March 18, 2008 8:26 AM PDT
Disabling AutoPlay just on USB drives doesn't work to defeat this attack -- U3 drives are considered by the OS to be CD-ROM/DVD-equivalents, so you need to disable AutoPlay on ALL drives for safety.
Reply to this comment
by ajpik August 28, 2008 5:40 AM PDT
Just FYI: My version of Vista Home Premium has an "Autoplay" listed under Control Panel. I just unchecked the "use autoplay for all devices" right at the top.
Reply to this comment
by stones732 August 31, 2008 6:09 AM PDT
Thanks for the good tip!
by thgolding August 28, 2008 9:36 AM PDT
Using "Disabling Autoplay in Windows XP Professional with Group Policy" I got as far as "administration templates" and then "System" was not there. I suppose a Window's update modified this. Is there another way? Using Windows XP Professional.
Reply to this comment
by mhinnewyork August 29, 2008 1:31 PM PDT
Yes, the tweakui program works on XP Professional. Michael Horowitz
by drstockton August 28, 2008 1:06 PM PDT
Thanks for the "turn off autoplay" idea
Reply to this comment
by techman21 August 28, 2008 1:24 PM PDT
Good idea, we've disabled it through GP here, but if the user opens My Computer and double-clicks the drive, the default action is still "Autoplay", not "Explore". Very dumb, Microsoft! I've searched and searched and can't find a way to change the default action when double-clicking a removable drive.

Also, how else would you see what's on a flash drive other than putting it into a computer? Although most users don't know about holding shift.
Reply to this comment
advertisement

In the news now

Slowing expectations at a green-tech start-up

Six months ago, biofuels start-up Mascoma had the wind in its sails, as did the rest of the clean-tech sector. Now, the company is treading carefully and scaling back.


With JavaFX, Sun seeks new coders, new revenue

With the launch of JavaFX 1.0, Sun is trying to reclaim Java's strength as a foundation for rich Internet applications. But it's no longer the incumbent.


Tim Lincecum, motion capture star

San Francisco Giants pitcher, who won the Cy Young award last month, dons a motion capture suit for 2K Sports' Major League Baseball 2K9 video game.


Resource center from CNET News sponsors
Business. Ready.
Sony VAIO® Professional PCs.

Click Here!
A new grade in mobility demands a new kind of notebook. And Sony delivers.Tough, portable and featuring up to 7.5 hours of battery life! VAIO® Professional notebooks are built for business. Learn more.

Click Here!
Built tough for business.

Learn more about the rigorous quality testing Sony puts its notebooks through.

Protect your investment.

Find out why VAIO® tech support recently won a Laptop Editors' Choice Award, July 2008.

Long battery life.

Up to 7.5 hours of battery life! See how VAIO® PCs will keep you productive longer when on the road.

Travel light

Check out our ultraportable line-up, starting at 2.87 lbs.

PCs for every need.

Find out which VAIO® notebook is right for you.

About Defensive Computing

Michael Horowitz is an independent computer consultant and the author of several classes on Defensive Computing. He views Defensive Computing as taking steps, when things are running well, to avoid or minimize the inevitable problems down the road. It's about educating yourself to the level where you can make your own intelligent decisions about keeping your computers and data happy and healthy. If you depend on computers, yet are on your own, without an IT department or nearby nerd, this blog's for you. His personal web site is michaelhorowitz.com.

He is a member of the CNET Blog Network and is not an employee of CNET.

Disclosure.

Add this feed to your online news reader

Defensive Computing topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
CES
Cell phones
Dell
GPS
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET