Can I restrict access to CD write capability?



jewels
07-10-2005, 03:19 AM
I'm wondering if there is a way for me to control which users have the
capability to write to a CD. I want them to be able to read, but not write.
I need control over the actual CD Drive, not any specific CD. Is there a way
to do this in XP Pro, and if so, how?

I've used a piece of software called DeviceLock in the past, but it has one
glaring flaw: While I can, in theory, allow read but not write via
DeviceLock, if an unauthorized user opens up the EasyCD Creator application,
it just bypasses the DeviceLock controls and lets them create a CD.

Thanks,
Jewels

Carey Frisch [MVP]
07-10-2005, 03:19 AM
Please visit the experts in the Group Policy newsgroup
news://msnews.microsoft.com/microsoft.public.windows.group_p­olicy

HOW TO: Use the Group Policy Editor to Manage Local Computer Policy in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;307882&Product=winxp

How to set, view, change, or remove special permissions for files
and folders in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308

How do I remove the CD Recording feature in Windows XP?
http://www.petri.co.il/disable_cd_recording_feature_in_windows_xp.htm

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

Get Windows XP Service Pack 2 with Advanced Security Technologies:
http://www.microsoft.com/athome/security/protect/windowsxp/choose.mspx

-------------------------------------------------------------------------------------------

"jewels" wrote:

| I'm wondering if there is a way for me to control which users have the
| capability to write to a CD. I want them to be able to read, but not write.
| I need control over the actual CD Drive, not any specific CD. Is there a way
| to do this in XP Pro, and if so, how?
|
| I've used a piece of software called DeviceLock in the past, but it has one
| glaring flaw: While I can, in theory, allow read but not write via
| DeviceLock, if an unauthorized user opens up the EasyCD Creator application,
| it just bypasses the DeviceLock controls and lets them create a CD.
|
| Thanks,
| Jewels

jewels
07-10-2005, 03:19 AM
Thanks Carey. I'll check it out.

jewels

"Carey Frisch [MVP]" wrote:

> Please visit the experts in the Group Policy newsgroup
> news://msnews.microsoft.com/microsoft.public.windows.group_p­olicy
>
> HOW TO: Use the Group Policy Editor to Manage Local Computer Policy in Windows XP
> http://support.microsoft.com/default.aspx?scid=kb;en-us;307882&Product=winxp
>
> How to set, view, change, or remove special permissions for files
> and folders in Windows XP
> http://support.microsoft.com/default.aspx?scid=kb;en-us;308
>
> How do I remove the CD Recording feature in Windows XP?
> http://www.petri.co.il/disable_cd_recording_feature_in_windows_xp.htm
>
> --
> Carey Frisch
> Microsoft MVP
> Windows XP - Shell/User
> Microsoft Newsgroups
>
> Get Windows XP Service Pack 2 with Advanced Security Technologies:
> http://www.microsoft.com/athome/security/protect/windowsxp/choose.mspx
>
> -------------------------------------------------------------------------------------------
>
> "jewels" wrote:
>
> | I'm wondering if there is a way for me to control which users have the
> | capability to write to a CD. I want them to be able to read, but not write.
> | I need control over the actual CD Drive, not any specific CD. Is there a way
> | to do this in XP Pro, and if so, how?
> |
> | I've used a piece of software called DeviceLock in the past, but it has one
> | glaring flaw: While I can, in theory, allow read but not write via
> | DeviceLock, if an unauthorized user opens up the EasyCD Creator application,
> | it just bypasses the DeviceLock controls and lets them create a CD.
> |
> | Thanks,
> | Jewels
>
>

Hunter1
07-10-2005, 03:19 AM
We found with XP pro that power-users were unable to burn CD's whilst
secpol was not set to "restrict CD-ROM access to locally logged on
users", only an administrator was able to burn CD's, when we enabled
this policy everyone was able to burn. In effect we had an opposite
problem to your own, and we resolved it be enabling that policy. By
default that policy should be disabled but perhaps in your case it is
enabled and you just need to disable it?

This "feature" is mentioned in http://www.cd-blaster.com/faq.shtml

What annoys me about it is if we DID want to enable sharing of CD-ROMs
across the network for power users and STILL want them to be able to
burn CD's it appears we would not be able to do so, good thing we've got
no use for that combination. Don't you love how Microsoft takes your
right to a choice away?


jewels wrote:
> I'm wondering if there is a way for me to control which users have the
> capability to write to a CD. I want them to be able to read, but not write.
> I need control over the actual CD Drive, not any specific CD. Is there a way
> to do this in XP Pro, and if so, how?
>
> I've used a piece of software called DeviceLock in the past, but it has one
> glaring flaw: While I can, in theory, allow read but not write via
> DeviceLock, if an unauthorized user opens up the EasyCD Creator application,
> it just bypasses the DeviceLock controls and lets them create a CD.
>
> Thanks,
> Jewels

jewels
07-10-2005, 03:19 AM
That's very interesting, Hunter. The systems I've been using up until now
had WinNT on them so I didn't experience the situation to which you are
referring. I'm now upgrading all the systems to XP Pro, so perhaps my
problem will be solved by default! Cool!

And yes, I do just LOVE how Microsoft takes away our choices by deciding
what they THINK we want rather than letting us make the decision.

jewels

"Hunter1" wrote:

> We found with XP pro that power-users were unable to burn CD's whilst
> secpol was not set to "restrict CD-ROM access to locally logged on
> users", only an administrator was able to burn CD's, when we enabled
> this policy everyone was able to burn. In effect we had an opposite
> problem to your own, and we resolved it be enabling that policy. By
> default that policy should be disabled but perhaps in your case it is
> enabled and you just need to disable it?
>
> This "feature" is mentioned in http://www.cd-blaster.com/faq.shtml
>
> What annoys me about it is if we DID want to enable sharing of CD-ROMs
> across the network for power users and STILL want them to be able to
> burn CD's it appears we would not be able to do so, good thing we've got
> no use for that combination. Don't you love how Microsoft takes your
> right to a choice away?
>
>
> jewels wrote:
> > I'm wondering if there is a way for me to control which users have the
> > capability to write to a CD. I want them to be able to read, but not write.
> > I need control over the actual CD Drive, not any specific CD. Is there a way
> > to do this in XP Pro, and if so, how?
> >
> > I've used a piece of software called DeviceLock in the past, but it has one
> > glaring flaw: While I can, in theory, allow read but not write via
> > DeviceLock, if an unauthorized user opens up the EasyCD Creator application,
> > it just bypasses the DeviceLock controls and lets them create a CD.
> >
> > Thanks,
> > Jewels
>


Can I restrict access to CD write capability?