Professional Documents
Culture Documents
1 Scope……...................................................... 2
2 Conflicts and Deviations…............................. 2
3 Users……..…………………………………….. 2
4 References….………………………………..... 2
5 Definitions and Abbreviations......................... 2
6 USB Mass Storage manipulation.………….... 5
7 Control Access to USB Ports.……….……….. 5
8 Uninstall USB Device Drivers......................... 7
9 Whitelist USB Devices………………........... 13
10 Audit Removable Storage...……………….... 20
11 Disabling Autorun………….……………….... 23
12 Floppy Disks, CDs, DVDs.…….................... 24
13 Sample Usage Scheme..………………….... 26
1 Scope
The purpose of this best practice is to guide Process Automation Network (PAN)
administrators in implementing the technical requirements set forth by SAEP-98 for
handling removable media devices inside the plant. The practices included in this
document represent one approach to implementing those requirements and not, by any
means, the only approach.
In the event of a conflict between this best practice and other Mandatory Saudi Aramco
Engineering Requirements, the Mandatory Saudi Aramco Engineering Requirements
shall govern.
3 Users
The intended users of this document are Process Automation Network (PAN)
administrators in charge of implementing security controls pertaining to removable
media devices usage inside the plant.
4 References
5.1 Abbreviations
CD Compact Disc
CD-R Compact Disc Recordable
CD-RW Compact Disc Rewritable
DVD Digital Versatile Disc
DVD-R Digital Versatile Disc Recordable
DVD-RW Digital Versatile Disc Rewritable
Page 2 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
5.2 Definitions
Digital Versatile Disc (DVD): DVD is an optical disc storage format that
offers higher storage capacity than a Compact Disc (CD).
Floppy Disk Drive (FDD): A disk storage medium composed of a disk of thin
and flexible magnetic storage medium, sealed in a rectangular plastic carrier
lined with fabric that removes dust particles.
Hard Disk Drive (HDD): A data storage device used for storing and retrieving
digital information using one or more rigid (“hard”) rapidly rotating disks
(platters) coated with magnetic material.
Page 3 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
Universal Serial Bus (USB): An external serial bus interface standard for
connecting peripheral devices to a computer.
USB Flash Drive: Or USB drive for short, is a data storage device that includes
flash memory with an integrated USB interface.
Registered USB: A USB flash drive whose Device ID has been whitelisted in
the plant system.
Usage Scheme: A framework that defines how removable media are going to
be used in a process automation environment.
In order to disable USB Mass Storage, the following steps shall be followed:
1. Open regedit/regedit32
2. Go to this path:
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor”
3. Find the key “Start” and modify its value to 4.
Page 4 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
The default value for the “Start” key is 3 for enabled USB ports. However, if the value is
different, you must store the value in case you need to reverse the action later.
In case there is an operational need to use a USB drive, that doesn’t mean granting
removable media devices privileges not required for the desired purpose.
Administrators can enable/disable read-access and/or write-access of external drives to
a given system based on operational requirements as documented in the removable
media usage scheme.
1. Controlling removable storage devices behavior
Open regedit/regedit32
Go to this path:
“HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Rem
ovableStorageDevices”.
Commentary Note:
Page 5 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
Page 6 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
Page 7 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
7. You will now notice that you have a list of USB devices and that some lines appear
to be faded. The faded ones are those USBs devices that were once plugged and
their drivers have been installed on the system.
Page 8 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
8. Uninstall all the faded entries by right-clicking on each entry and then Uninstall.
Page 9 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
(Optional Step)
The INFCACHE.1 file is used to store information about USB drivers on your system.
Deleting this file will force windows to generate a fresh INFCACHE.1 file:
9. Open Windows Explorer Computer search for “INFCACHE.1”
10. If you have more instances of Windows installed only do this for INFCACHE.1
“C:\Windows\System32\DriverStore”, otherwise apply the following for all
INFCACHE.1 files”
a. Right Click on the file INFCACHE.1
b. Click on Properties, Click on Security tab, Click on Edit, Click on Add.
c. Type Administrators in the window with the blinking cursor, Click OK.
d. Delete the INFCACHE.1 file.
Page 10 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
11. Connect the dedicated USB device in order to force the system to create a new
INFCACHE.1 file.
12. Restart the machine.
Note: Certain cases may require the repetition of the entire procedure more than once to
achieve the desired objective.
Page 11 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
5. Device Manager starts and displays a tree representing all of the devices
detected on your computer. At the top of the tree is a node with your
computer's name next to it. Lower nodes represent the various categories of
hardware into which your computer's devices are grouped.
Page 12 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
Page 13 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
11. Under Value, make note of the strings displayed (copy into a text file)
Note: You can copy the strings to the Clipboard by highlighting the text and pressing
CTRL-C. However, it is helpful to copy the value into a text file from which you
can paste when you must specify an identifier. This approach greatly reduces
the chance of an error when you must add a specific identifier to a list of
approved or prohibited devices.
Page 14 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
Page 15 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
6. Depending on the system at hand, click Enabled to turn this policy on.
7. Click Show to view the list of allowed devices in the Show Contents
dialog box.
By default, the list is empty.
8. Click Add to open the Add Item dialog box. In other versions of
Windows, the values can be pasted into the box right away.
Page 16 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
Page 17 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
Page 18 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
This procedure applies to Windows Vista and beyond as well as Windows Server 2008
and later versions. Earlier versions of Windows don’t support such function.
1. Press the Windows + R keys to open the Run dialog, type ‘secpol.msc’, press
Enter.
NOTE: This file is located at C:\Windows\System32\secpol.msc.
Page 19 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
4. If you selected the Failure check box, double-click Audit Handle Manipulation,
select the Configure the following audit events check box, and then select
Failure.
5. Click OK, and then close the Group Policy Management Editor.
6. Windows logs the same event ID 4663 but administrators can determine the
following:
Who performed the action; User ID
The name of the file; Object Name
Location of file on the removable storage device; Relative path.
The program used to perform the access; Process information
Type of Access (Read, Write, Delete); Accesses field.
Page 20 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
Group Policy settings are supported on the specified operating systems. For those
systems, use the below steps:
Page 21 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
To disable Autorun on operating systems that do not include Gpedit.msc, follow these
steps:
1. Click Start, click Run, type regedit in the Open box, and then click OK.
2. Locate and then click the following entry in the registry:
“HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\pol
icies\Explorer\NoDriveTypeAutorun”.
3. Right-click NoDriveTypeAutoRun, and then click Modify.
4. In the Value data box, type 0xFF and click OK.
5. Exit registy editor and restart your computer.
6. For more details, refer to “How to disable the Autorun functionality in Windows”
article published on Microsoft support site.
In addition to USB ports, all other removable media drives shall be disabled by default
on a Process Automation System workstation/server. PAN admins may opt to take this
a step further and hide the drives so they are no longer visible to the user.
Page 22 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
You can set the “Floppydisk” and “CD-ROM” service to not start automatically
by specifying 4 as the Start value in the following registry keys:
“HKLM\SYSTEM\CurrentControlSet\Services\Cdrom”
“HKLM\SYSTEM\CurrentControlSet\Services\FlpyDisk”
Commentary Note:
The registry key “Cdrom” covers both CD and DVD drives. Once you set the
value at “4” both drives will not be operational.
(Alternative Method)
Administrators can also disable CD-ROM & FDD through Group Policy by
following the below steps:
1. Open Gpedit.msc through Start Search box.
2. Go to the following path: “Computer Configuration Administrative
templates System Removable Storage Access”.
3. Enable ‘CD and DVD: deny read access’ policy to disable CD ROM access.
4. Enable ‘Floppy device: deny read access’ policy to disable Floppy access.
Page 23 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
6. Repeat the above steps for each drive that you’re trying to hide.
You can disable autoplay for all users on a computer on the CD-ROM drive by
specifying 0 as the Autorun value in the following entry:
“HKLM\System\CurrentControlSet\Services\CdRom”
Scheme #
Purpose
Justification
Page 24 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
Data Required
In this section, PAN admins need to explain how will the required data be transferred to the
control system(s). In other words, the steps that will be taken to achieve the desired objective.
Data Provider(s)
☐ Other:
Page 25 of 26
Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
Work to be Performed By
Name: ______________________________________
Revision Summary
10 November 2015 New Saudi Aramco Best Practice that establishes guidelines for PAN Admins and
technical staff in implementing configuration-related requirements set by SAEP-98 for
removable media usage in the Plants.
Page 26 of 26