Sabp Z 071

Best Practice
SABP-Z-071 10 November 2015

Implementing Security Controls for Removable Media Devices
Document Responsibility: Plants Networks Standards Committee
Saudi Aramco DeskTop Standards

Table of Contents
1 Scope……...................................................... 2
2 Conflicts and Deviations…............................. 2
3 Users……..…………………………………….. 2
4 References….………………………………..... 2
5 Definitions and Abbreviations......................... 2
6 USB Mass Storage manipulation.………….... 5
7 Control Access to USB Ports.……….……….. 5
8 Uninstall USB Device Drivers......................... 7
9 Whitelist USB Devices………………........... 13
10 Audit Removable Storage...……………….... 20
11 Disabling Autorun………….……………….... 23
12 Floppy Disks, CDs, DVDs.…….................... 24
13 Sample Usage Scheme..………………….... 26
Previous Issue: New Next Planned Update: TBD
Primary contact: Al-Yousef, Hassan Salman (youshs0a) on +966-13-8809815 Page 1 of 26
©Saudi Aramco 2015. All rights reserved.

Document Responsibility: Plants Networks Standards Committee SABP-Z-071
Issue Date: 10 November 2015
Next Planned Update: TBD Implementing Security Controls for Removable Media Devices
1 Scope
The purpose of this best practice is to guide Process Automation Network (PAN)
administrators in implementing the technical requirements set forth by SAEP-98 for
handling removable media devices inside the plant. The practices included in this
document represent one approach to implementing those requirements and not, by any
means, the only approach.
2 Conflicts and Deviations
In the event of a conflict between this best practice and other Mandatory Saudi Aramco
Engineering Requirements, the Mandatory Saudi Aramco Engineering Requirements
shall govern.
3 Users
The intended users of this document are Process Automation Network (PAN)
administrators in charge of implementing security controls pertaining to removable
media devices usage inside the plant.
4 References
4.1 Saudi Aramco References
Saudi Aramco Engineering Procedures

SAEP-98 Removable Media Usage for Process Automation
Systems
SAEP-99 Process Automation Networks and Systems
Security
5 Definitions and Abbreviations
5.1 Abbreviations
CD Compact Disc
CD-R Compact Disc Recordable
CD-RW Compact Disc Rewritable
DVD Digital Versatile Disc
DVD-R Digital Versatile Disc Recordable
DVD-RW Digital Versatile Disc Rewritable
Page 2 of 26
HDD Hard Disk Drive

MMA Microsoft Message Analyzer
PAN Process Automation Network (also: Plant Information Network)
PAS Process Automation System
PCN Process Control Network
PCS Process Control System
PN&S Plant Networks and System
USB Universal Serial Bus
5.2 Definitions
Authentication: The process of verifying the identity of a user through a code

such as a password.
Compact Disc (CD): A CD is an optical disc used to store digital data.
Digital Versatile Disc (DVD): DVD is an optical disc storage format that
offers higher storage capacity than a Compact Disc (CD).
Floppy Disk Drive (FDD): A disk storage medium composed of a disk of thin
and flexible magnetic storage medium, sealed in a rectangular plastic carrier
lined with fabric that removes dust particles.
Hard Disk Drive (HDD): A data storage device used for storing and retrieving
digital information using one or more rigid (“hard”) rapidly rotating disks
(platters) coated with magnetic material.
Microsoft Message Analyzer: A software tool that enables users to capture,

display, and analyze protocol messaging traffic; and to trace and assess system
events and other messages from Windows components.
Process Automation Network (PAN): Sometimes referred to as Plant

Information Network (PIN), is a plant wide network interconnecting Process
Control Networks (PCN) and provides an interface to the WAN. A PAN does
not include proprietary process control networks provided as part of a vendor's
standard process control system.
Process Automation Networks (PAN) Administrator: A system

administrator that performs day-to-day maintenance activities on the PAN
devices (e.g., administration, configuration, upgrade, monitoring, etc.). He may
also perform additional functions such as granting, revoking, and tracking access
privileges for PCS operating systems and applications.
Page 3 of 26
Process Automation System (PAS): A network of computer-based or

microprocessor-based electronic equipment whose primary purpose is process
automation. The functions may include process control, safety, data acquisition,
advanced control and optimization, historical archiving, and decision support.
Removable Media (or Removable Media Devices): Computer storage

technologies that are portable (not permanently attached to a computer).
Examples include optical discs, memory cards, floppy disks, USB flash drives,
external HDDs, external SSDs, magnetic tapes, smart phones, tablets, PDAs, etc.
Unauthorized Removable Media: Any form of removable media that hasn’t

been approved for use inside the plant.
Server: A dedicated un-manned data provider.
Universal Serial Bus (USB): An external serial bus interface standard for
connecting peripheral devices to a computer.
USB Flash Drive: Or USB drive for short, is a data storage device that includes
flash memory with an integrated USB interface.
Certifiable USB: A USB flash drive whose origin/manufacturer can be verified

through cryptographic techniques.
Registered USB: A USB flash drive whose Device ID has been whitelisted in
the plant system.
User Account: An established relationship between a user and a computer,

network or information service such as Operating System and Applications.
Usage Scheme: A framework that defines how removable media are going to
be used in a process automation environment.
Workstation: A workstation is a computer intended for individual use that is

faster and more capable than a personal computer. It's intended for business or
professional use.
6 Enable/Disable USB Mass Storage
In order to disable USB Mass Storage, the following steps shall be followed:
1. Open regedit/regedit32
2. Go to this path:
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor”
3. Find the key “Start” and modify its value to 4.
Page 4 of 26
4. To re-enable, return the registry key value to 3.

Commentary Note:
The default value for the “Start” key is 3 for enabled USB ports. However, if the value is
different, you must store the value in case you need to reverse the action later.
7 Control Access to USB Ports
In case there is an operational need to use a USB drive, that doesn’t mean granting
removable media devices privileges not required for the desired purpose.
Administrators can enable/disable read-access and/or write-access of external drives to
a given system based on operational requirements as documented in the removable
media usage scheme.
1. Controlling removable storage devices behavior
 Open regedit/regedit32
 Go to this path:
“HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Rem
ovableStorageDevices”.
Commentary Note:
If the key “RemovableStorageDevices” doesn’t exist, then right-click on Windows

and click on New and Key. Type “RemovableStorageDevices” and press Enter.
 Right-click on “RemovableStorageDevices” and click on New and Key.
Enter {53f5630d-b6bf-11d0-94f2-00a0c91efb8b} and press enter.
2. Denying read-access to removable storage
 Open RegEdit.
 On the right pane, click on an empty area and click on New and DWORD
(32-bit) value and type “Deny_Read”.
 Righ-click on “Deny_Read” and click Modify.
 Change the “Value data” to 1 and press OK.
 Close Regedit and restart your computer.
Commentary Note:
To re-enable read-access to removable storage simply delete the “Deny_Read” key.
Page 5 of 26
3. Denying write-access to removable storage

 Open RegEdit.
 On the right pane, click on an empty area and click on New and DWORD
(32-bit) value and type “Deny_Write”.
 Righ-click on “Deny_Write” and click Modify.
 Change the “Value data” to 1 and press OK.
 Close regedit and restart your computer.
Commentary Note:
To re-enable write-access to removable storage simply delete the “Deny_Write” key.
8 Uninstall Previously installed USB device Drivers

1. Unplug all USB devices except the mouse, keyboard or any other device that’s
operationally required such as USB licensing dongles.
2. Go to ‘System Properties’  ‘Advanced’ tab  ‘Environment Variables’
Page 6 of 26
3. Under the “System variables” section, click on ‘New’:
4. Type “devmgr_show_nonpresent_devices” in the variable name field and type ‘1’

as the variable value.
5. Click OK 3 times to close all windows.
Page 7 of 26
6. Go to Device Manager  View  “Show hidden devices”
7. You will now notice that you have a list of USB devices and that some lines appear
to be faded. The faded ones are those USBs devices that were once plugged and
their drivers have been installed on the system.
Page 8 of 26
8. Uninstall all the faded entries by right-clicking on each entry and then  Uninstall.
Page 9 of 26
(Optional Step)
The INFCACHE.1 file is used to store information about USB drivers on your system.
Deleting this file will force windows to generate a fresh INFCACHE.1 file:
9. Open Windows Explorer  Computer  search for “INFCACHE.1”
10. If you have more instances of Windows installed only do this for INFCACHE.1
“C:\Windows\System32\DriverStore”, otherwise apply the following for all
INFCACHE.1 files”
a. Right Click on the file INFCACHE.1
b. Click on Properties, Click on Security tab, Click on Edit, Click on Add.
c. Type Administrators in the window with the blinking cursor, Click OK.
d. Delete the INFCACHE.1 file.
Page 10 of 26
11. Connect the dedicated USB device in order to force the system to create a new
INFCACHE.1 file.
12. Restart the machine.
Note: Certain cases may require the repetition of the entire procedure more than once to
achieve the desired objective.
9 Whitelist USB Devices based on Device IDs
9.1 Identify Device IDs of USB Devices

1. Log on to your computer as an Administrator
2. Plug in the dedicated USB memory drive, and then allow installation to
complete.
3. To open Device Manager, click the Start button, type mmc devmgmt.msc
in the Start Search box, and then press ENTER.
4. If the User Account Control dialog box appears, confirm that the action it
displays is what you want, and then click Continue.
Page 11 of 26
5. Device Manager starts and displays a tree representing all of the devices
detected on your computer. At the top of the tree is a node with your
computer's name next to it. Lower nodes represent the various categories of
hardware into which your computer's devices are grouped.
6. Double-click Disk drives to open the list.

7. Right-click the entry for your USB memory drive, and then click
Properties.
Page 12 of 26
8. The Device Properties dialog box appears:
9. Click the Details tab.
Page 13 of 26
10. In the Property list, select Parent.
11. Under Value, make note of the strings displayed (copy into a text file)
Note: You can copy the strings to the Clipboard by highlighting the text and pressing
CTRL-C. However, it is helpful to copy the value into a text file from which you
can paste when you must specify an identifier. This approach greatly reduces
the chance of an error when you must add a specific identifier to a list of
approved or prohibited devices.
9.2 Authorizing/De-Authorizing Devices

1. Log on to your computer as Admin.
2. If your device is currently installed, uninstall and remove it by following
the steps in Section 8 “Uninstall Previously installed USB device Drivers”
of this document.
3. To open Group Policy Management Editor, click the Start button, type
mmc gpedit.msc in the Start Search box, and then press ENTER.
Page 14 of 26
4. In the Group Policy Management Editor Navigation pane, double-click

Computer Configuration to open it. Then, open Administrative
Templates, open System, open Device Installation, and then open Device
Installation Restrictions.
5. In the details pane, right-click Allow installation of devices that match

any of these device IDs, and then click Edit (or Properties).
The policy dialog box appears with the current settings.
Page 15 of 26
6. Depending on the system at hand, click Enabled to turn this policy on.
7. Click Show to view the list of allowed devices in the Show Contents
dialog box.
By default, the list is empty.
8. Click Add to open the Add Item dialog box. In other versions of
Windows, the values can be pasted into the box right away.
Page 16 of 26
9. Enter the device ID for your device.
10. Click OK to close.

Your device now appears in the list.
11. Click OK to save your new policy setting.
12. In order to de-authorize a lost/stolen USB device, simply delete its device
ID from the above list and click OK.
9.3 Configure Policy to Prevent the Installation/Update of any Device Driver

1. Log on to your computer as an Administrator.
2. To open Group Policy Management Editor, click the Start button, type
mmc gpedit.msc in the Start Search box, and then press ENTER.
3. If the User Account Control dialog box appears, confirm that the action it
displays is what you want, and then click Continue.
4. In the Group Policy Management Editor Navigation pane, double-click
Computer Configuration to open it. Then, open Administrative
Templates, open System, open Device Installation, and then open Device
Installation Restrictions.
Page 17 of 26
5. In the details pane, right-click Prevent installation of devices not

described by other policy settings, and click Edit (or Properties).
6. On the Setting tab, click Enabled to turn the policy on.
7. Click OK to save your settings and return to Group Policy Management
Editor.
9.4 Configure Policy to Allow Administrators to Override Device Installation

Restrictions
1. In the details pane, right-click Allow administrators to override device
installation policy, and then click Properties.
2. On the Setting tab, click Enabled to turn the policy setting on.
3. Click OK to save your setting and return to Group Policy Management
Editor.
Page 18 of 26
Both policies now show their state as enabled.
10 Tracking Removable Storage with the Windows Security Log
This procedure applies to Windows Vista and beyond as well as Windows Server 2008
and later versions. Earlier versions of Windows don’t support such function.
1. Press the Windows + R keys to open the Run dialog, type ‘secpol.msc’, press
Enter.
NOTE: This file is located at C:\Windows\System32\secpol.msc.
2. Expand Advanced Audit Policy Configuration  System Audi Policies  Object

Access  Audit Removable Storage.
3. Select the Configure the following audit events check box, select the Success
check box (and the Failure check box, if desired), and then click OK.
Page 19 of 26
4. If you selected the Failure check box, double-click Audit Handle Manipulation,
select the Configure the following audit events check box, and then select
Failure.
5. Click OK, and then close the Group Policy Management Editor.
6. Windows logs the same event ID 4663 but administrators can determine the
following:
 Who performed the action; User ID
 The name of the file; Object Name
 Location of file on the removable storage device; Relative path.
 The program used to perform the access; Process information
 Type of Access (Read, Write, Delete); Accesses field.
Page 20 of 26
Verify that Removable Storage Devices are Monitored

1. Press the Windows key + R, and then type cmd to open a Command Prompt
window.
2. Type gpupdate /force, and press ENTER.
3. Connect a removable storage device to the targeted computer and attempt to copy a
file that is protected with the Removable Storage Audit policy.
4. Go to Event Viewer.
5. Expand Windows Logs, and then click Security.
6. Look for event 4663, which logs successful attempts to write to or read from a
removable storage device. Failures will log event 4656.
11 Disabling Autorun Functionality
Windows Server 2008/Windows Vista
Group Policy settings are supported on the specified operating systems. For those
systems, use the below steps:
Page 21 of 26
1. Open Gpedit.msc through Start Search box.

2. Go to the following path: “Computer Configuration\Administrative
templates\Windows Components\Autoplay Policies”
3. In the Details pane, double-click Default Behavior for AutoRun.
4. Click Enabled, and then select Do not execute any autorun commands in the
Default Autorun behavior box to disable Autorun on all drives.
5. Restart the computer.
Win Server 2003/Win XP Prof/ Win 2000

2. Go to the following path: “Computer Configuration\Administrative templates\” and
click System.
3. In the Settings pane, right-click Turn off Autoplay, and then click Properties.
Note: In Windows 2000, the policy setting is named Disable Autoplay.
4. Click Enabled, and then select All drives in the Turn off Autoplay box.
5. Click OK and restart your computer.
Unsupported Group Policy Settings
To disable Autorun on operating systems that do not include Gpedit.msc, follow these
steps:
1. Click Start, click Run, type regedit in the Open box, and then click OK.
2. Locate and then click the following entry in the registry:
“HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\pol
icies\Explorer\NoDriveTypeAutorun”.
3. Right-click NoDriveTypeAutoRun, and then click Modify.
4. In the Value data box, type 0xFF and click OK.
5. Exit registy editor and restart your computer.
6. For more details, refer to “How to disable the Autorun functionality in Windows”
article published on Microsoft support site.
12 Floppy Disks, CDs, DVDs
In addition to USB ports, all other removable media drives shall be disabled by default
on a Process Automation System workstation/server. PAN admins may opt to take this
a step further and hide the drives so they are no longer visible to the user.
Page 22 of 26
12.1 Disabling Removable Media Drive
You can set the “Floppydisk” and “CD-ROM” service to not start automatically
by specifying 4 as the Start value in the following registry keys:
 “HKLM\SYSTEM\CurrentControlSet\Services\Cdrom”
 “HKLM\SYSTEM\CurrentControlSet\Services\FlpyDisk”
Commentary Note:
The registry key “Cdrom” covers both CD and DVD drives. Once you set the
value at “4” both drives will not be operational.
(Alternative Method)
Administrators can also disable CD-ROM & FDD through Group Policy by
following the below steps:
2. Go to the following path: “Computer Configuration  Administrative
templates  System  Removable Storage Access”.
3. Enable ‘CD and DVD: deny read access’ policy to disable CD ROM access.
4. Enable ‘Floppy device: deny read access’ policy to disable Floppy access.
12.2 Hiding Drive Letters

1. Go to the following regedit path:
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer”
2. Right-click on the right pane and select New > DWORD (32-bit) value.
3. Re-name the registry entry to NoViewOnDrive.
4. Righ-click on NoViewOnDrive and select Modify.
5. Depending on the drive letter that you are trying to hide, enter the
corresponding value according to the table:
Table H.1 - “NoViewOnDrive” values for hiding drive letters
Drive Value Drive Value Drive Value

A 1 J 512 S 262144
B 2 K 1024 T 524288
C 4 L 2048 U 1048576
D 8 M 4096 V 2097152
Page 23 of 26
Table H.1 - “NoViewOnDrive” values for hiding drive letters
Drive Value Drive Value Drive Value

E 16 N 8192 W 4194304
F 32 O 16384 X 8388608
G 64 P 32768 Y 16777216
H 128 Q 65536 Z 33554432
I 256 R 131072 ALL 67108863
6. Repeat the above steps for each drive that you’re trying to hide.
12.3 Disable Autoplay for CD-ROM
You can disable autoplay for all users on a computer on the CD-ROM drive by
specifying 0 as the Autorun value in the following entry:
“HKLM\System\CurrentControlSet\Services\CdRom”
13 Sample Removable Media Usage Scheme
Admin Area: _____________________________________

Plant #: _____________________________________
Operating Area: _____________________________________
PAN Admin: _____________________________________ Phone: ______________
Issued On: _____________________________________
(Maximum validity is 3 years from issuance)
Scheme #
Purpose
Justification
Page 24 of 26
Data Required
What kind of data are to be copied should be detailed here…
Data Exchange Process
In this section, PAN admins need to explain how will the required data be transferred to the
control system(s). In other words, the steps that will be taken to achieve the desired objective.
Data Provider(s)
The source of the data to be utilized.
Recipient of Data (Destination)
System(s) that will make use of the provided data.
The Machines Used to Perform the Task

☐ Corporate: i.e., BC510854
☐ Plant: i.e., ENG0164
☐ Other:
Removable Media Used

_______________________________
_______________________________
Device IDs #
_______________________________
_______________________________
Page 25 of 26
Work to be Performed By
Name: ___________________________________________ Date: _____/______/__________
Name: ___________________________________________ Date: ____/______/___________
Name: ___________________________________________ Date:____/______/___________
Plant’s Manager Approval
Name: ______________________________________
Signature: ___________________________________ Date: ______/______/_____________
Revision Summary
10 November 2015 New Saudi Aramco Best Practice that establishes guidelines for PAN Admins and
technical staff in implementing configuration-related requirements set by SAEP-98 for
removable media usage in the Plants.
Page 26 of 26

Sabp Z 071

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sabp Z 071

Uploaded by

Copyright:

Available Formats

Best Practice

SABP-Z-071 10 November 2015

Saudi Aramco DeskTop Standards

Previous Issue: New Next Planned Update: TBD

Primary contact: Al-Yousef, Hassan Salman (youshs0a) on +966-13-8809815 Page 1 of 26

©Saudi Aramco 2015. All rights reserved.

2 Conflicts and Deviations

4.1 Saudi Aramco References

Saudi Aramco Engineering Procedures

5 Definitions and Abbreviations

HDD Hard Disk Drive

Authentication: The process of verifying the identity of a user through a code

Compact Disc (CD): A CD is an optical disc used to store digital data.

Microsoft Message Analyzer: A software tool that enables users to capture,

Process Automation Network (PAN): Sometimes referred to as Plant

Process Automation Networks (PAN) Administrator: A system

Process Automation System (PAS): A network of computer-based or

Removable Media (or Removable Media Devices): Computer storage

Unauthorized Removable Media: Any form of removable media that hasn’t

Server: A dedicated un-manned data provider.

Certifiable USB: A USB flash drive whose origin/manufacturer can be verified

User Account: An established relationship between a user and a computer,

Workstation: A workstation is a computer intended for individual use that is

6 Enable/Disable USB Mass Storage

4. To re-enable, return the registry key value to 3.

7 Control Access to USB Ports

If the key “RemovableStorageDevices” doesn’t exist, then right-click on Windows

To re-enable read-access to removable storage simply delete the “Deny_Read” key.

3. Denying write-access to removable storage

To re-enable write-access to removable storage simply delete the “Deny_Write” key.

8 Uninstall Previously installed USB device Drivers

3. Under the “System variables” section, click on ‘New’:

4. Type “devmgr_show_nonpresent_devices” in the variable name field and type ‘1’

5. Click OK 3 times to close all windows.

6. Go to Device Manager  View  “Show hidden devices”

9 Whitelist USB Devices based on Device IDs

9.1 Identify Device IDs of USB Devices

6. Double-click Disk drives to open the list.

8. The Device Properties dialog box appears:

9. Click the Details tab.

10. In the Property list, select Parent.

9.2 Authorizing/De-Authorizing Devices

4. In the Group Policy Management Editor Navigation pane, double-click

5. In the details pane, right-click Allow installation of devices that match

9. Enter the device ID for your device.

10. Click OK to close.

9.3 Configure Policy to Prevent the Installation/Update of any Device Driver

5. In the details pane, right-click Prevent installation of devices not

9.4 Configure Policy to Allow Administrators to Override Device Installation

Both policies now show their state as enabled.

10 Tracking Removable Storage with the Windows Security Log

2. Expand Advanced Audit Policy Configuration  System Audi Policies  Object

Verify that Removable Storage Devices are Monitored

11 Disabling Autorun Functionality

Windows Server 2008/Windows Vista

1. Open Gpedit.msc through Start Search box.

Win Server 2003/Win XP Prof/ Win 2000

Unsupported Group Policy Settings

12 Floppy Disks, CDs, DVDs

12.1 Disabling Removable Media Drive

12.2 Hiding Drive Letters

Table H.1 - “NoViewOnDrive” values for hiding drive letters

Drive Value Drive Value Drive Value

Name: _________________________________________ Date: _//______

Name: _______________________________ Date: //_

Name: _______________________________ Date://_

Signature: _______________________ Date: //_