Since the floppy drive and the CD-ROM drive in a system are classified as volumes by Windows XP, both types of drives are automatically shared as administrative shares on the network. This means that administrators and other users can access these drives over the network while the user is logged on. Fortunately, you can disable network access to floppy/CD-ROM drives by adding a couple of settings to the Winlogon key in the registry.
Adding these settings to the registry will, in part, meet the C2 security requirement stating that you must be able to secure removable media. To get started, launch the Registry Editor by typing Regedit in the Run dialog box. Then, open the following keys in succession:
- Windows NT
Adding the string values
To add a new string value to the Winlogon key, pull down the Edit menu and select the New | String Value command. When you see the New Value appear in the Winlogon key, you can name it using the names described in the next section. Once you name a value, press [Enter] twice—once to activate the new name and once to open the Edit String dialog box. You can then add the appropriate warning messages in Value Data text box. Let’s take a closer look.
To disable network access to the floppy disk drive, you’ll add a string value named AllocateFloppies and set the Value Data to 1, as shown in Figure A.
|The AllocateFloppies setting disables network access to the administrative share on the floppy disk drive.|
To disable network access to the CD-ROM drive, you’ll add a string value named AllocateCDRoms and set the Value Data to 1, as shown in Figure B.
|The AllocateCDRoms setting disables network access to the administrative share on the floppy disk drive.|
Note: Keep in mind that the AllocateFloppies and AllocateCDRoms values may already appear in the Winlogon key. If they do, you can just double-click on each value and change the Value Data to 1.