Removable media presents a serious potential threat vector for malware to exploit in any manufacturing facility. As a result, it is essential to utilize methods that protect against these threats. The next several blog posts in this series will provide different methods to reduce the risk of a cyber attack using removable media as the launch method. While each solution is beneficial, a defense in depth solution is always recommended.
The majority of Windows operating systems, Windows 95 through Windows 10, have a default Windows application called the Registry Editor (or Regedit). This editing application provides the user access into the Windows registries of the device, enabling a user to change the base system parameters. One such item that can be addressed is Removable Media. There is a different Windows Registry for each type of Removable Media device including USB devices, CD’s, Floppy drives, and SD Memory cards.
To access the Windows Registry Editor, open the start menu and type regedit into the Search bar (for Win 7 and 10) or open the Run application and type regedit and hit enter (Pre-Win 7). This will launch the Registry Editor application.
The left hand side of the application displays a Navigation pane. For Removable Media, two of the Registry Key directories will be used: HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER. For each directory, follow the steps below to lock down removable media access points on the device.
Expand the following navigation folders as follows: SYSTEM -> CurrentControlSet -> Services
For USB devices, navigate down to the registry key labelled USBSTOR. Select that registry key. Select the registry value named “Start” and right click on it, select Modify. Make sure the value Base is set to Hexadecimal. Change the value to 4 and click OK.
For CD’s, navigate down to the registry key labelled cdrom. Select that registry key. Select the registry value names “Start” and right click on it, select Modify. Make sure the value Base is set to Hexadecimal. Change the value to 4 and click OK.
For floppy drives, navigate down to the registry key labelled flpydisk. Select that registry key. Select the registry value names “Start” and right click on it, select Modify. Make sure the value Base is set to Hexadecimal. Change the value to 4 and click OK.
For SD memory cards, navigate down to the registry key labelled sdstor. Select that registry key. Select the registry value names “Start” and right click on it, select Modify. Make sure the value Base is set to Hexadecimal. Change the value to 4 and click OK.
Note that after changing the registry value, the change does not take effect until after the PC is rebooted. However, to make it immediately take effect, navigate to the desktop, right click, and choose Refresh. This should cause the changes made in Registry Editor to immediately take effect.