Protecting drive

I have been trying to block access to certain drives and I have been unsuccessful for quite some time.  I have pretty much given up, however I saw a program called Fortress that effectively blocked access to selected drives.  The drives were in effect "write-protected".  For example, you can open a file and edit it, however when I went to save it I got different error messages in several different programs:

MS Word - Cannot save the file. 'C:\temp\doc1.doc' is not a valid file name.

Notepad - You do not have permission to open this file. (Appeared while saving!)

MS Dos Edit - Edit was unable to access the file 'C:\temp\doc1.doc'. (While windows was running.)

It's almost as if it made the hard drive read-only.  However Windows has to write to certain files and it did not report any errors, so I'm not sure how Fortress accomplished this.

Can anyone offer any suggestions of how to accomplish what is described above.  Note:  Solution MUST work in Win 95/98.
matt_whiteAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jon_RaymondCommented:
Why not use network security?  But, you should be able to retrieve the current drive or the location of whatever it is you are accessing or writing to.  Are these locations specified in you code?  If so, you can trap for the drive letter.  The use something like:

IF INSTR(1, PathVariable, "h:") THEN
   MSGBOX "Access denied
ELSE
END IF
0
matt_whiteAuthor Commented:
I need to stop access to the hard drive outside my program.

Also, there is a network, but no server.  Just a bunch of Windows pc's connected together with a hub.
0
mcriderCommented:
This is a really old solution, and alot of people forget about it, but, it still works in 85/98/NT...

Using the DOS command SUBST, you can set an existing drive to be another directory, which blocks all access to the original information on the drive...

Let's say you have an E drive that has 15 directories on it.  When you execute:

    Shell "SUBST E: C:\TMP"

the E drive is pointed to C:\TMP and those 15 directories "disappear" and can't be accessed until the SUBST is deleted using:

    Shell "SUBST E: /D"

You can lock and unlock a drive this way... If you rename the SUBST.EXE command to something else, only you will know the drive is SUBST'd and how to unlock it....


Hope this help!


Cheers!

0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

matt_whiteAuthor Commented:
mcrider, this is ok for some drives, however subst does not work on network drives.

Also, I need to hide the hard drive. I'm not sure but I think if I re-mapped the hard drive, windows might have trouble?

Is there a windows message that I could hook and destroy?
0
Jon_RaymondCommented:
On a peer network you should limit access from each system to specific user logins.  Is this for a specific login?  Is it on an NT system?  On NT you can logon as administrator and remove all other users from the administrators group.  There might be a way there to limit access to a local drive.
0
matt_whiteAuthor Commented:
Sorry, we are not using NT. (Wish we were)

What I basically need is a way to hide a drive so that Windows and apps can see them, however the user can not view them via the Explorer, Save As, Open, etc.
0
gambisticsCommented:
There's a way hiding drives from Explorer and the standart Save As,Open, etc. boxes. But it's not ery secure because you only have to type in eg .'C:'in a Save box and you have access again, because the drives are only hidden and not write protected.

Under this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      Policies\Explorer

you can set this.
You have to create a DWORD-value NoDrives. If you want to hide 'A:' the value has to be 1.
B - 2
C - 4
D - 8
E - 16
....
If you want to hide various drives you have to sum up the specific values for these drives.
0
Jon_RaymondCommented:
That sounds like a posibity.  You just need to use some registry class APIs to make it work.  I have some sample code that I found here at EE, though I haven't ever tried it.  I will post it if you like.
0
matt_whiteAuthor Commented:
The NoDrive value is the way I am currently doing it. However, as gambistics has pointed out, the user can still type C: and they will be shown the C drive.  Even worse though, Windows defaults to C:\My Documents (quite often) when saving a document, and even though the C: drive may be hidden via the NoDrives value the user is started out looking at the C: drive whenever they save a document.

I am just wondering if there is some message that is sent out that I could hook and intercept.
0
st_steveCommented:
the solution from gambistics has one flow (as matt_white already found)....if the user goes to Internet Explorer (4.x or later) and type "C:" in the address box, drive C: is available...it's just for hiding from Windows Explorer...not write-protecting it.

A word of thought about what "mcrider" wrote.....sure you rename the "SUBST" command to something else.....but then if the hacker knows that you used subst, he can also bring his "own" copy of "SUBST" and undo whatever you did with it, am I right??

Let me know...I'm sure I'll get a lot of criticisms!!!
0
mcriderCommented:
st_steve,

With windows, nothing is perfect and nothing is ever truely secure.  That's why the U.S. Govt will not rate windows higher than a C2 classification. SUBST is so old, most everyone has forgotten it.  If you're truely worried about hackers, win95/98/NT/2000 is not for you.

As for a hacker bringing along a copy SUBST, If they're that determined... ;-)


Cheers!
0
gambisticsCommented:
With Windows NT/2000 you can easily write protect files. But you need NTFS which supports security and encryption.
0
st_steveCommented:
Err.....mcrider....I think you addressed that comment to the wrong person! I'm not the one who wanted to protect the W95/98 system!! I would actaually advice against people trying use W95/98 for secure terminals!

I think your comment was meant to be for matt_white .....correct me if I'm wrong!
0
st_steveCommented:
and no one has to be THAT determinded to copy a small program such as SUBST if it's going to let them in the system!
0
mcriderCommented:
st_steve,

No it was directed to your response AND to matt_white...


Cheers!

0
matt_whiteAuthor Commented:
So the basic answer here is that it is not worth trying to secure Win 95/98?  

What then would be some of the more secure operating systems?
0
Jon_RaymondCommented:
NT4, Win2000 (which will be available by the time this question is answered), as suggested earlier.
0
mcriderCommented:
matt_white said, "What then would be some of the more secure operating systems?"


Like I said earlier, WIN/95/98/NT/2000 are not classified as secure operating system.  If you are truely interrested in secure operating systems, then you need to be moving to the unix environment.

There are several OS systems that have been approved as B1 Certified or B1 Compliant.  To make a long story short, B1 Certified systems have been tested and approved by the NSA (National Security Agency, a US Govt branch) to process information above the UNCLASSIFIED level of information (like CONFIDENTIAL, SECRET, TOP-SECRET, etc.)

These OS systems include:

   * HP-UX BLS 8.0 - 9.x
   * HP-UX CMW+
   * DEC Ultrix CMW+
   * SCO Secure Unix 3.0 (CMW)

All of the above run on proprietary hardware (except SCO which runs on the PC hardware).

If you're interrested in discussing any of these platforms, let me know...


Cheers!
0
matt_whiteAuthor Commented:
mcrider, I am wondering where you are getting your information?  If it is an internet site, could you provide the url?  I am doing report on security issues that that would come in handy for.
0
mcriderCommented:
I have been a security analyst consultant for over 15 years and have had security consulting contracts with such entities as the US NAVY, NSA, and Hewlett-Packard.

Have you ever heard of the "Orange Book"?  It's an affectionate name for the "Trusted Computer System Evaluation Criteria" (TCSEC) and is published by the Department of Defense (DoD 5200.28-STD).  The reason it's called the orange book is because the ugly paper cover is orange.  It is part of a series of documents known as the "rainbow series" because each book in the series has a different paper cover color.

There is also a "Red Book", the "Trusted Network Interpretation (TNI) of the Trusted Computer System Evaluation Criteria". It contains information to enable the Orange Book principles to be applied in a network environment.

Anyways, back to the orange book, it defines classes of security (Divisions) from D to A... "D" being the lowest level of security (no security) and "A" being the highest level of security.

There are numbers that go with the letters... The higher the number, the higher the level of security in that category.  Here is an example of the security levels and what they deal with:


Division D: Minimal Protection

Division C: Discretionary Protection
   Class (C1): Discretionary Security Protection
   Class (C2): Controlled Access Protection

Division B: Mandatory Protection
   Class (B1): Labeled Security Protection
   Class (B2): Structured Protection
   Class (B3): Security Protection

Division A: Verified Protection
   Class (A1): Verified Design
   Beyond Class(A1)


Here are some websites that may interrest you:

  http://www.us.kernel.org/pub/linux/libs/security/Orange-Linux/refs/Orange/OrangeI-II.html 
 
http://www.netsurf.com/nsf/v01/01/resource/trusted.html 
 

By the way, I think this deserves some points, don't you??  ;-)



Cheers!

0
matt_whiteAuthor Commented:
Yes, you guys deserve points.  However I don't want to give 500 points for a "NO" answer.  I've put a question into CS to see how it is best to split up the points without deleting this question.

Here is how it stands:

mcrider      - 50 pts.
gambistics   - 30 pts.
Jon_Raymond  - 20 pts.

Is this ok?

0
mcriderCommented:
To split points, you need to open up three separate questions with the titles:

   "FOR MCRIDER ONLY"
   "FOR GAMBISTICS ONLY"
   "FOR JON_RAYMOND ONLY"

and assign the points you want to give them... By the way, here you said:

   mcrider      - 50 pts.
   gambistics   - 30 pts.
   Jon_Raymond  - 20 pts.

but in your message at CS you said:

   Jon_Raymond  - 20 pts.
   mcrider      - 20 pts.
   gambistics   - 20 pts.

Did you change your mind?


Cheers!



0
matt_whiteAuthor Commented:
Yes, I changed my mind.

I can put out three questions, but what do I do with this question?
0
mcriderCommented:
Go back to your question at CS an ask them to refund your points for this question...


Cheers!
0
ianBCommented:
Hi,

As requested I have awarded 3 questions:

   mcrider      - 50 pts.
   gambistics   - 30 pts.
   Jon_Raymond  - 20 pts.

Each expert will find thier question in this topic area.

i will answer this question so it can be saved and refund 400 points back to the users account.


Ian
community Support @ Experts Exchange
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
matt_whiteAuthor Commented:
Thankyou!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Visual Basic Classic

From novice to tech pro — start learning today.