Protected Devices for NT

PROT_DEV

This module protects the access to all drives, parallel and serial ports. It sets standard NT ACL on these devices.

HIDE_DEV

This additional program allows to filter the drives displayed in the NT Explorer user interface.

Installation
Customisation
Package
Dependencies

Installation

PROT_DEV

The program must be launched by a user having administrator privileges on the local machine. The System account is a good candidate, but any administrator is suitable.
An easy solution is to run the program during the machine boot in the service AUTOEXNT (from the NT Resource Kit) - but it may be excuted at any time.

The ACL are set immediately but they are volatile. You must re-apply them when the machine was shut down.

HIDE_DEV

This program is an extension to system policies. It is loaded at logon time.

In order to activate it, you must create the value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PolicyHandler = "path\hide_dev.dll,ProcessPolicies"

Customisation

To customise the access, add a value of type REG_SZ or REG_EXPAND_SZ, under the HKEY_LOCAL_MACHINE\SOFTWARE\MarcStern\ProtectedDevices key for each device type or logical drive.
Each value may contain several userid or groupeid separated by a semicolon ';'.
To disable security on one device type (allow access to everybody), use the "default" keyword.

The ACL will be the sum of both the groups/users specified for the drive letter and the one specified in its drive type.

An example of a policy template file (PROT_DEV.ADM) is provided.

Device type Description

Drive_Fixed Hard disks

Drive_Removable Floppies, ZIP, JAZZ, etc.

Drive_CD CD-ROM, CD-Write, etc.

Drive_RAM RAM drive (in memory)

Drive_Remote Network drives (HIDE_DEV only)

LPT ports Parallel ports

COM ports Serial ports

A: logical drive A:

... logical drive ...

Z: logical drive Z:


Device type	Description
Drive_Fixed	Hard disks
Drive_Removable	Floppies, ZIP, JAZZ, etc.
Drive_CD	CD-ROM, CD-Write, etc.
Drive_RAM	RAM drive (in memory)
Drive_Remote	Network drives (HIDE_DEV only)
LPT ports	Parallel ports
COM ports	Serial ports
A:	logical drive A:
...	logical drive ...
Z:	logical drive Z:

Special syntax

-id to explicitly deny access to a groupid/userid
*id to allow access but not display in Explorer
-*id to explicitly deny display in Explorer

Some groups are always granted access:

Administrators
Account Operators
Backup Operators
Server Operators
Power Users

An explicit deny will have no effect on these groups members.

WARNING

When applying the ACL to a mapped network drive, NT applies it to the mapped directory. Therefor, ACL are not applied on network drives.

Package

The package is composed of:

PROT_DEV.EXE
HIDE_DEV.DLL

Dependencies

Common Logging Facility
MSVCRT.DLL

[XSET] ... [Other free NT tools] ... [How to contact me] ... [Batch files tips & tricks]