IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
S 4.52 Protection of devices under Windows NT
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
Under normal circumstances Windows NT allows all programs access to disks
and CD ROMs. You are recommended to limit this access to the user who has
just logged in interactively by allocating the equipment to this user
exclusively.
Under Windows NT 4.0 access to disk drives should be restricted by
entering/changing the value "AllocateFloppies" in the key
"SOFTWARE\Microsoft\Windows NT\Current Version\ Winlogon" of the
sector HKEY_LOCAL_MACHINE of the registry to the value REG_string = 1.
Note: The type "REG_string" used in the Regedit.exe program corresponds to
the type "REG_SZ" in the Regedit32.exe program.
Similarly, access to CD ROM drives should be restricted where required by
entering/changing the value "AllocateCdRoms" in the key
"SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon" of the
sector HKEY_LOCAL_MACHINE of the registry to the value REG_string = 1.
Note: Since the equipment is released again for general access when logging
off, the data media must be removed from the equipment before log-off.
If disk drives are to be completely deactivated, this can also be done by
preventing the loading of the driver program in the control panel option
"Devices" by assigning the start type "Deactivated" to the "Floppy" device.
Following the next system start-up, the disk drive is then simply no longer
available for use, and it can only be made usable again by an administrator
assigning the start type "System". On servers, it is not advisable to disable
loading of the driver program for the disk drive. If the disk drive is required
again for administrative purposes, for example, the "Floppy" device must be
assigned the start type "System" and the server must be turned off, as the
driver can only be loaded after the system has been restarted. This might
disrupt the operation of services. Servers must be installed in a secure
environment, and connected disk drives must be locked physically.
Furthermore, Windows NT allows all users access to tape drives, so that each
user can read and write the contents of each tape. Usually this does not result
in any problems, as at any given time only one user is logged on interactively.
If, however, this user runs a program that is still accessing the tape drive even
after log-off, this program might access a tape put on by the next user who
logs on. For this reason, computers which are not located in a supervised
environment should be restarted before the tape drive is used.
Note: The use of self-loading tape equipment, which can load several tapes
from a reservoir, must only be permitted under very closely-supervised
marginal conditions. Generally, such types of equipment should only be
installed for data back-up purposes on a server. Interactive access of normal
users to this server is not permitted (see also S 6.32 Regular data back-up).
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000