What is and how can I test “protect the raw local disk device” option used in an IPS policy.
Last Updated August 05, 2016
In test lab you can use diskpart to test the “protect the raw local disk device” as seen in the options provided below.
Here is the background on what is being protected and why:
In the policy we have rules that make the raw disk devices no access when this option is enabled. There are User mode file system programs that access the raw disk and emulate what the file system does. This type of program could be used to get around no-access rules in IPS policies. Also these programs when they access files would not show up in IDS file watch events. User mode file system programs can also ignore OS access controls.
There are some legitimate uses of the raw disk access is by programs such as some backup programs.
Here is what I did to test this option as working:
Warning please do not run "DISKPART> convert gpt" on prodcution systems.
Microsoft DiskPart version 6.1.7601
Copyright (C) 1999-2008 Microsoft Corporation.
On computer: WIN-7FTRKH7JLI5
DISKPART> select disk=1
Disk 1 is now the selected disk.
DISKPART> convert gpt
DiskPart has encountered an error: Access is denied.
See the System Event Log for more information.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe