Disable Autorun and Autoplay for Removable Media (CIS 10.3)
Removable media like USB drives and external hard drives remain a primary infection vector for malware and ransomware. CIS Control 10.3 requires disabling autorun and autoplay functionality to prevent automatic execution of malicious code when media is connected. This straightforward technical control dramatically reduces attack surface without impacting legitimate workflow.
What this means
Autorun and autoplay features automatically launch applications or execute scripts when removable media is connected to a system. Disabling these capabilities prevents unauthorized code execution from compromised USB drives, external drives, or other portable storage devices. This control applies across Windows, macOS, and Linux environments where such functionality exists, ensuring users must explicitly authorize any actions on removable media.
How to comply
- 1.Disable autorun functionality in Windows via Group Policy Editor (gpedit.msc) or Registry Editor for all drive types
- 2.Disable autoplay in Windows Settings under Devices > AutoPlay for each media or device type
- 3.Configure macOS to require user action before mounting external drives through System Preferences
- 4.Set Linux mount options to prevent automatic execution (noexec, nosuid flags) for removable media
- 5.Apply these settings consistently across all endpoints using Mobile Device Management (MDM) or Group Policy
- 6.Document the disabled autorun/autoplay settings in your asset inventory and configuration management system
- 7.Test removable media connections regularly to ensure autorun/autoplay remains disabled after system updates
Evidence auditors look for
- Screenshots of disabled autorun policies in Group Policy Editor
- AutoPlay settings configuration showing all media types set to manual or no action
- Registry export showing HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer autorun keys disabled
- MDM or endpoint management reports confirming autorun/autoplay disabled across device fleet
- System configuration audit logs documenting when autorun/autoplay settings were disabled
- Testing documentation showing USB drives do not auto-execute upon connection
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically detects and maps autorun/autoplay configurations across your Windows and Linux endpoints, tracks compliance status in your control dashboard, and alerts you to drift from your disabled-state baseline—eliminating manual policy audits.
See how GRCWatch handles this control automatically
Start free trial