Insider Threat Matrix™Insider Threat Matrix™
  • ID: PV035
  • Created: 31st July 2024
  • Updated: 31st July 2024
  • Platform: Windows
  • Contributor: Khaled A. Mohamed

Restrict Disc Media Mounting, Group Policy

Using Group Policy on Windows it is possible to block execute, read, and write operations related to a CD/DVD drive.


In the Group Policy Editor, navigate to:
Computer Configuration -> Administrative Templates -> System -> Removable Storage Access

 

Open the following policies and set them all to Enabled:

CD and DVD: Deny execute access,

CD and DVD: Deny read access,

CD and DVD: Deny write access

Sections

ID Name Description
IF002.009Exfiltration via Disk Media

A subject exfiltrates data using writeable disk media.

PR004.003Removable Media File Exploration

The subject browses, searches, or navigates files stored on removable media to identify data of interest. This includes interaction with external storage devices such as USB flash drives, external hard drives, memory cards, or other mountable media connected to an endpoint.

 

File exploration on removable media may involve directory traversal, file listing, previewing, or opening files directly from the mounted device. This activity can occur either on media introduced by the subject or on devices previously used for data staging or transfer.