WinSecWiki > Security Settings > Local Policies > Security Options > Devices > Restrict CD-ROM access to locally logged-on user only

Devices: Restrict CD-ROM access to locally logged-on user only

Like other “Devices:” settings this one has pretty narrow application and value. It’s designed to protect a user who mounts a CD-ROM containing sensitive information from having that information accessed by other users logged on to the computer from over the network. By default Windows does not share CD-ROMs anyway so it’s fairly unlikely this would happen anyway.

It is unclear whether this setting prevents Terminal Services users from access CD-ROMs when someone is logged on interactively.

Also interesting is the fact that should a user forget to remove the CD and logs off, network users will then be able to access the CD since no one is currently logged on locally (aka Interactive logon).

Enabling this setting can break certain applications. In particular it causes a problem for NTBackup and any other backup application that uses the Volume Shadow Copy service.

Bottom line

I recommend not enabling this policy because for most environments because of the low probability of risk and the problems it can cause.

Upcoming Webinars

Additional Resources

Devices

•	Allowed to format and eject removable media
•	Prevent users from installing printer drivers
•	Restrict CD-ROM access to locally logged-on user only
•	Restrict floppy access to locally logged-on user only
•	Unsigned driver installation behavior

User name:
Password:
	/ Forgot?
	Register

April 2025 Patch Tuesday	"Patch Tuesday - One Zero Day! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2025 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.