This entry restricts access to the CDs in the CD-ROM drives to the user
currently logged on to the computer. In this mode, CDs are allocated to the user
as part of the interactive logon process and are freed for general use or for
reallocation only when that user logs off. This parameter satisfies part of the
C2 security requirement that removable media must be securable. If this value
entry is not added, the contents of the CDs in the drives will be available to
all domain administrators remotely.
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon
Name: AllocateCDRoms
Type: REG_DWORD
Value: 1 restrict to user logged onto console.
Actually this limits access to the INTERACTIVE group. There is a potential
gotcha! when this security setting is implemented. If you are logged onto the
box and run an install that runs not under your security context but as SYSTEM
(some things do install using SYSTEM). Unfortunately the SYSTEM account is not a
member of the INTERACTIVE group and thus will not have access to the CDROM. You
will have to turn the AllocateCDRoms setting off to give
the SYSTEM account access to the local CDROM.
