WinSecWiki > Security Settings > Local Policies > Security Options > Devices > Restrict floppy access to locally logged-on user only

Devices: Restrict floppy access to locally logged-on user only

Like other “Devices:” settings this one has pretty narrow application and value. It’s designed to protect a user who mounts a floppy containing sensitive information from having that information accessed by other users logged on to the computer from over the network. By default Windows does not share floppies anyway so it’s fairly unlikely this would happen anyway. 

It is unclear whether this setting prevents Terminal Services users from access floppies when someone is logged on interactively.

Also interesting is the fact that should a user forget to remove the floppy and logs off, network users will then be able to access the floppy since no one is currently logged on locally (aka Interactive logon).

Enabling this setting can break certain applications. In particular it causes a problem for NTBackup and any other backup application that uses the Volume Shadow Copy service.

Bottom line

I recommend not enabling this policy because for most environments because of the low probability of risk and the problems it can cause.

Back to top

 

Upcoming Webinars Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources