ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

What is and how can I test “protect the raw local disk device” option used in an IPS policy.

book

Article ID: 150434

calendar_today

Updated On:

Products

Data Center Security Server Advanced

Issue/Introduction

 

Resolution

   In test lab you can use diskpart to test the “protect the raw local disk device” as seen in the options provided below.

    

 Here is the background on what is being protected and why:

 

   In the policy we have rules that make the raw disk devices no access when this option is enabled. There are User mode file system programs that access the raw disk and emulate what the file system does. This type of program could be used to get around no-access rules in IPS policies. Also these programs when they access files would not show up in IDS file watch events. User mode file system programs can also ignore OS access controls.

 

   There are some legitimate uses of the raw disk access is by programs such as some backup programs.

 

  Here is what I did to test this option as working:

 

Warning please do not run "DISKPART> convert gpt" on prodcution systems.

 

C:\Users\Administrator>diskpart

 

Microsoft DiskPart version 6.1.7601

Copyright (C) 1999-2008 Microsoft Corporation.

On computer: WIN-7FTRKH7JLI5

 

DISKPART> select disk=1

 

Disk 1 is now the selected disk.

 

 

DISKPART> convert gpt

 

DiskPart has encountered an error: Access is denied.

See the System Event Log for more information.

 

DISKPART>