| VID |
28341 |
| Severity |
40 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The Windows system is configured that the Floppy Drive is available to all users on the system. If required by your security policy, the floppy drive should only be available to the user who is logged on at the console.
Because the floppy disk drive is a volume, by default it is shared as an administrative share on the network. If the value of this entry is 1, the floppy disk drive is allocated to the user as part of the interactive logon process and, therefore, only the current user can access it. This prevents administrators and remote users (and even the same user at a different workstation) from accessing the drive while the current user is logged on. The drive is shared again when the current user logs off.
* Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://support.microsoft.com/support/kb/articles/Q172/5/20.ASP
* Platforms Affected:
Windows Any version |
| Recommendation |
Configure the system so that the floppy drive is available only to the currently logged on user. In Windows NT, this requires an edit to the registry. In Windows 2000, set the Restrict floppy access to locally logged-on user only option. Follow the steps below appropriate for your system.
For Windows NT:
1. Open the Registry Editor. (From the Windows NT Start menu, select Run, type regedt32, and click OK.)
2. Go to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.
3. Change the value of the AllocateFloppies entry to 1 (REG_SZ).
For a Windows 2000 domain:
1. Start Microsoft Management Console (From the DOS prompt, type "mmc").
2. Add Group Policy Snap-in.
3. Browse Group Policy Objects.
4. Select the Domain Policy of interest.
5. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options.
6. Set the "Devices: Restrict floppy access to locally logged-on user only" option to the desired setting.
For a stand-alone Windows 2000 computer:
1. From the DOS prompt on the affected computer, start gpedit.msc. The focus is local computer by default.
2. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Option.
3. Set the "Devices: Restrict floppy access to locally logged-on user only" option to the desired setting.
For Windows XP, 2003, 7, 2008, 8, 2012, 10, 2016, 2019 computer:
1. From the DOS prompt on the affected computer, start gpedit.msc. The focus is local computer by default.
2. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Option.
3. Set the "Devices: Restrict floppy access to locally logged-on user only" option to the desired setting. |
| Related URL |
CVE-1999-0594 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
1318 (ISS) |
|
