search cancel

What is and how can I test “protect the raw local disk device” option used in an IPS policy.


Article ID: 150434


Updated On:


Data Center Security Server Advanced




   In test lab you can use diskpart to test the “protect the raw local disk device” as seen in the options provided below.


 Here is the background on what is being protected and why:


   In the policy we have rules that make the raw disk devices no access when this option is enabled. There are User mode file system programs that access the raw disk and emulate what the file system does. This type of program could be used to get around no-access rules in IPS policies. Also these programs when they access files would not show up in IDS file watch events. User mode file system programs can also ignore OS access controls.


   There are some legitimate uses of the raw disk access is by programs such as some backup programs.


  Here is what I did to test this option as working:


Warning please do not run "DISKPART> convert gpt" on prodcution systems.




Microsoft DiskPart version 6.1.7601

Copyright (C) 1999-2008 Microsoft Corporation.

On computer: WIN-7FTRKH7JLI5


DISKPART> select disk=1


Disk 1 is now the selected disk.



DISKPART> convert gpt


DiskPart has encountered an error: Access is denied.

See the System Event Log for more information.