On our newly installed Windows NT 4.0 machines, we provide a local logical S drive, which contains all Windows installation files (i.e., the contents of the i386 directory on the NT Workstation 4.0 installation CD-ROM). Only administrators should be able to access the drive's content. We can use access control settings to limit access to administrators, but which other security features can we use to hide this drive from users?
You can use a little-known NT 4.0 feature to hide a particular drive. Hiding the drive prevents it from displaying under Windows Explorer's My Computer icon and in the File Open and Save dialog boxes of Windows applications.
To hide the drive, you must create a new registry value on all your newly installed NT 4.0 machines. The new value, called Nodrives (of type REG_DWORD), must be in the HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer registry subkey. To hide the S drive, for example, set the Nodrives value to 00000001000000000000000000. Nodrives uses a 32-bit word to define local and network drive visibility for each of a computer's logical drives. The lower 26 bits of this 32-bit word correspond to drive letters A through Z. Drives are visible when the corresponding bit for their letter is set to 0 and hidden when the bit is set to 1.
When you view the Nodrives value in binary mode, the rightmost position of the bitmask corresponds to drive A. In the example above, the 19th bit (if you count backwards from right to left) represents drive S.
In some cases, this "security by obscurity" offers a partial solution. Nevertheless, you must set appropriate access controls on the S drive. The Nodrives registry change doesn't prevent logical drives from appearing in the file manager (winfile.exe) or command prompt (cmd.exe), so experienced NT users might still see and access the content of the drive if you don't enforce proper access control settings.