S 4.52 Device protection under Windows NT/2000/XP

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Usually, Windows operating systems allow all programs access to diskettes, CD/DVD-ROMs/RWs, and USB interfaces. It is recommended to restrict this access to the user who has logged in interactively by assigning the devices exclusively to this user when he logs in.

The following describes how to restrict access to diskette and CD-ROM drives. Access to other drives for removable data media should also be restricted in a similar manner. Under Windows Vista and Windows Server 2008 and higher, access to removable media can be controlled specifically by using group policies. Now it is possible to generally define the types of removable media to which access is allowed and the type of access. e.g. only read access. Depending on the corresponding environment and the systems to be configured, this can be configured either in the user or computer context. The directory of the configurations within the security settings is:

Computer Configuration [User Configuration] | Administrative Templates | System | Removable Storage Access

Furthermore, access to the USB interfaces can now be configured in more detail via so-called device identification strings and device setup classes. This allows for specific configuration, e.g. to only permit USB hard drives, without the necessity to completely disable the USB interface. In Windows 2000/Server 2003 and higher, this is configured using the local security settings or using a group policy. The relevant options can be found in Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options and have the following labels in Windows 2000:

Note: Since the devices are free again for general access after logging off, the users must be instructed that the data media must be removed from the devices before logging off.

If you want to completely disable a floppy disk drive, then you can also suppress the loading of the driver programme in the Computer Management/Device Manager of Windows 2000/Server 2003 and higher by setting the device usage of the device "Floppy" to the mode Do not use this device (disabled). This ensures that the required driver program will not be loaded. The floppy disk drive will not be available after the next system start and can only be enabled again by an administrator by setting the device usage to Use this device (enabled).

Moreover, drives can be usually disabled by corresponding configurations within the computer BIOS.

Furthermore, Windows allows all users to access tape drives, which means every user can read and write the contents of each tape. This is normally not a problem because only one user is logged on interactively at any given time. However, if this user runs a program that continues to access the tape drive even after the user logs off, then this program could access a tape inserted by the next user who logs in. For this reason, computers not located in a controlled environment and on which confidential data is processed should be restarted before using the tape drive.

Note: The use of self-loading tape devices that can load several tapes from storage must only be permitted when their use is very closely monitored. In general, such devices should only be installed to back up data on a server. Interactive access by normal users to this server is not permitted (see also S 6.32 Regular data backup).

Additional recommendations for proper handling of disk drives for removable media can be found in S 4.4 Correct handling of drives for removable media and external data storage.

Review questions:

© Federal Office for Information Security. All rights reserved.