S 4.52 Protection of devices under Windows NT

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

Under normal circumstances Windows NT allows all programs access to disks and CD ROMs. You are recommended to limit this access to the user who has just logged in interactively by allocating the equipment to this user exclusively.

Under Windows NT 4.0 access to disk drives should be restricted by entering/changing the value " AllocateFloppies " in the key " SOFTWARE\Microsoft\Windows NT\Current Version\ Winlogon " of the sector HKEY_LOCAL_MACHINE of the registry to the value REG_string = 1. Note: The type " REG_string " used in the Regedit.exe program corresponds to the type " REG_SZ " in the Regedit32.exe program.

Similarly, access to CD ROM drives should be restricted where required by entering/changing the value "AllocateCdRoms" in the key " SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon " of the sector HKEY_LOCAL_MACHINE of the registry to the value REG_string = 1.

Note: Since the equipment is released again for general access when logging off, the data media must be removed from the equipment before log-off.

If disk drives are to be completely deactivated, this can also be done by preventing the loading of the driver program in the control panel option " Devices " by assigning the start type " Deactivated " to the " Floppy " device. Following the next system start-up, the disk drive is then simply no longer available for use, and it can only be made usable again by an administrator assigning the start type " System ". On servers, it is not advisable to disable loading of the driver program for the disk drive. If the disk drive is required again for administrative purposes, for example, the " Floppy " device must be assigned the start type " System " and the server must be turned off, as the driver can only be loaded after the system has been restarted. This might disrupt the operation of services. Servers must be installed in a secure environment, and connected disk drives must be locked physically.

Furthermore, Windows NT allows all users access to tape drives, so that each user can read and write the contents of each tape. Usually this does not result in any problems, as at any given time only one user is logged on interactively. If, however, this user runs a program that is still accessing the tape drive even after log-off, this program might access a tape put on by the next user who logs on. For this reason, computers which are not located in a supervised environment should be restarted before the tape drive is used.

Note: The use of self-loading tape equipment, which can load several tapes from a reservoir, must only be permitted under very closely-supervised marginal conditions. Generally, such types of equipment should only be installed for data back-up purposes on a server. Interactive access of normal users to this server is not permitted (see also S 6.32 Regular data back-up).

Additional controls:

• Is the setting of the keys " AllocateFloppies " and " AllocateCdRoms " in the registry checked regularly?