Is there an easy way to control access to D Drive?

Actually, I find it a bit excessive. The purpose of the D: drive is to store data and a user needs to access and modify the data. Yes, malware can modify it too but if the C: drive is secure and the general security setup is good, there shouldn't be any malware in the first place and if it gets downloaded onto the D: drive, it will require administrator privileges to run which the read/write permission will deny to a limited user account. In order to use a computer effectively, data needs to be read and written somewhere. There is always a trade off between ease of use and security but for my own computer, I don't want to have to give an administrator password just to write or save a file to a data drive. I do, if I am going to run or install a new piece of software.

 

Same here:

Deny download of executables: 1806 trick
Deny execute access to USB-drives: GPO
Deny execute access to data partitions for everyone: ACL (removed temp dir files of Internet and Mail to D:\, including download)
Deny execute for basic users outside safe folders: SRP

This leaves me the option to execute using right click "run as admin" from Temp directory.

 

It seems there are two different topics being commingled in this thread:
1. Measures to try to stop malware in the first place.
2. Measures to try to stop malware from writing to any file on volume D.

I addressed #2. My understanding is that justenough is using volume D only for backing up data files - no programs are installed on volume D. If justenough is using a UAC-protected admin account, then launching Q-Dir (or whatever) as admin doesn't require a password. Or instead of Q-Dir, one could use Windows Explorer when transferring files to volume D, but one will then get a UAC prompt on every transfer, which might get annoying.

 

I think I may have misunderstood what you use the D drive for. I thought it was a working data partition that programs need access to. If that's not the case and it's a backup partition that is only used to backup data files that are held elsewhere then it is possible to protect it using AppGuard. What you have to do is to go into the Guarded Apps tab and set D:\ as a Protected Resource (read only).

That will prevent guarded applications from writing to it. Unlike Private Folders which also requires Privacy Mode to be set to On, a Protected Resource is automatically off limits to ALL guarded applications in terms of write access, but they will still be able to read it.

 

Yes, I am manually dragging files and programs etc to and from D drive, nothing runs from there and nothing on C drive accesses data automatically from D drive, except maybe when an AV is scanning D.

For now I'm going to use AppGuard, it's already on my computer. I've added D:\ to Guarded Apps, Folders and set it to Read/Write.

It was pointed out that if my protection is good, nothing is going to get to D, so I'm increasing security by adding an AV. (edit: instead of an AV, I'm trying Online Armor with AppGuard and Sandboxie.)

 

If you wanted to protect the D: drive from being written to by Guarded Apps, wouldn't setting D:\ to Read Only within AppGuard to make it a Protected Resource have suited your purpose better?

Setting it to Read Only would only prevent Guarded Apps from writing to it. Unguarded apps - e.g. backup software - would still be able to write to it as normal.

 

Thanks pegr, I was assuming that I also needed Write for how I'm using D drive. I now have it set to Read only.

 

Along with the other suggestions made in this thread, I'll be trying these settings and your other Safe Admin settings a little at a time and see what I can find online about each one so I understand what they do.