Block Auto-run on Removable Devices Guideline

UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data.  The recommendations below are provided as optional guidance to meet malware defenses requirement.

Requirement

Resource Custodians must configure covered systems to not auto-run content from removable or remotely-mounted media.

Description of Risk

Malicious software allows attackers direct access to covered data and provides attackers the means to access covered data.

Recommendations

Autorun configuration was intended to provide users with convenience of automatic software response to known media devices such as CDs, external hard disks, etc.  However, malicious software has been known to exploit this convenience feature to install malware and conduct unauthorized activities on misconfigured devices.  

To mitigate the risks of running malware that exploits the autorun configuration, follow instructions from operating system vendor (Microsoft Windows) to disable autorun on both removable and remotely-mounted media.  This requirement does not apply to Mac or Linux devices.

Additional Resources