The program must be launched by a user having administrator privileges
on the local machine. The System account is a good candidate,
but any administrator is suitable.
An easy solution is to run the program during the machine boot
in the service AUTOEXNT (from the NT Resource Kit) - but it may
be excuted at any time.
The ACL are set immediately but they are volatile.
You must re-apply them when the machine was shut down.
HIDE_DEV
This program is an extension to system policies.
It is loaded at logon time.
In order to activate it, you must create the value
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PolicyHandler = "path\hide_dev.dll,ProcessPolicies"
Customisation
To customise the access, add a value of type REG_SZ
or REG_EXPAND_SZ, under the
HKEY_LOCAL_MACHINE\SOFTWARE\MarcStern\ProtectedDevices key
for each device type or logical drive.
Each value may contain several userid or groupeid separated by a semicolon ';'.
To disable security on one device type (allow access to everybody),
use the "default" keyword.
The ACL will be the sum of both the groups/users specified for the drive
letter and the one specified in its drive type.
An example of a policy template file (PROT_DEV.ADM) is provided.
Device type
Description
Drive_Fixed
Hard disks
Drive_Removable
Floppies, ZIP, JAZZ, etc.
Drive_CD
CD-ROM, CD-Write, etc.
Drive_RAM
RAM drive (in memory)
Drive_Remote
Network drives (HIDE_DEV only)
LPT ports
Parallel ports
COM ports
Serial ports
A:
logical drive A:
...
logical drive ...
Z:
logical drive Z:
Special syntax
-id to explicitly deny access to a groupid/userid
*id to allow access but not display in Explorer
-*id to explicitly deny display in Explorer
Some groups are always granted access:
Administrators
Account Operators
Backup Operators
Server Operators
Power Users
An explicit deny will have no effect on these groups members.
WARNING
When applying the ACL to a mapped network drive, NT applies it to the mapped
directory. Therefor, ACL are not applied on network drives.
