In my past life as a consultant, I ran across an unusual exploit that was created when someone added an autorun.inf to the root of the company shared drive. This exploit infected the systems with malware that was easily removed, but it could have been worse. As a result, I have created the following GPO to disable autorun at all of my clients, and is one of the first things I check when I start at a new company.

The settings for the GPO are located under Computer Configuration | Policies | Administrative Templates | Windows Components | AutoPlay Polices. The two settings are:

  • Default behavior for AutoRun: Do not execute any autorun commands
  • Turn off Autoplay on: All Drives

This policy is not invisible to your users! If your users have become accustomed to autorun working on certain DVDs, or CDs they may think something is wrong with their system. As always, communicate with your users about the changes you are making.