Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 343
  • Last Modified:

Disable access to FAT partition


I'd like to disable access to a FAT partition under NT4
for normal users. The system however shall still be able
to allow access to network shares on that partition. Any

BTW.: I know how to disguise the existence of a partition
in the explorer, but that's not what I am looking for.
  • 6
  • 6
  • 2
1 Solution
the only way I know is TWEAKUI where you can disable drives so that they won't appear in "My Computer".
'cause TWEAKUI simply changes the registry, there must be a setting there.

Hope following links is still alive:
fremsleyAuthor Commented:
Thank you,

but that's the method I wrote I am not looking for because:

  a) the user is still allowed to access the drive if he
     knows the drive letter

  b) this is done in the user's registry tree, so he can
     always change it back

What I am trying to do is getting some degree of access
control (using the net share level restrictions) on a FAT
drive. The machine has installed NT4 and Linux and
unfortunately FAT partitions are the only file system
that both systems can read and write.

Best regards
fremsleyAuthor Commented:
I just found information about using the old NT 3.5 HPFS
driver with NT4. If it really does work the partition could
as well be formatted with a HPSF file system, since Linux
offers read/write access to HPFS, too.
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

BTW, I'm using Linux's NTFS driver for read/write since years, without problems (didn't do extensive tests, just simple text files).
And there's also a ext2 explorer for NT (didn't test writing with it 'cause I won't trust NT:)
I don't know why this is a problem.

Highlight the Drive in My Computer, left click for properties and then goto Security.  Select the users that you want to have access to the entire drive (Administrators, etc.)

Then goto each shared directory, do the same and give whoever you want to have access rights to those shares the same.

fremsleyAuthor Commented:
> BTW, I'm using Linux's NTFS driver for read/write since years,
> without problems (didn't do extensive  tests, just simple text files).

I once tried the NTFS driver of the 2.2 kernel and the file system got
corrupted -- that's probably the reason why write support is still
called 'dangerous.'

> And there's also a ext2 explorer for NT (didn't test writing with it
> 'cause I won't trust NT:)

And I don't trust the users of the systems I have to administrate!
That's why I am trying to restrict access to the NT/Linux shared
volume. Linux does not respect access control lists on NTFS file
systems so security is, like with FAT partitions, all or nothing.
For the same reason giving the users access to ext2 file systems
under NT is not a solution.

FAT volumes however can be mounted using the umsdos driver adding
Unix access modes to the file system. Maybe an even better solution
would be using an HPFS file system (I tried the old NT 3.5 driver
this weekend and it seems to work perfectly) because the Linux
HPFS driver uses its extended attributes for Unix access control,
symlinks, etc.

Best regards
fremsleyAuthor Commented:

yesterday I noticed an interesting feature of NT that might
help getting some sort of access control on FAT/HPFS

Drive S: stores directories for all users and one called
'public' which all users should be able to access. I used
the subst command to redirect them to drive letters:

  subst H: S:\fremsley
  subst P: S:\public

After that I opened the Disk Manager (windisk.exe) and
removed the associated drive letter S: from the partition.
Now access to drive S: is not possible, the substituted
drive letters however still work well.

Is there any way to run windisk in batch mode with
system access rights (I don't want the normal users to
run it explicitly) at each login?
> Is there any way to run windisk in batch mode with system access rights

Install su.exe and the corresponding service from NT's ResKit. And use su like you do on UNIX :-)
fremsleyAuthor Commented:
Hello ahoffmann,

That's half the solution already, but -- as I have found
out meanwhile -- there is no way to run windesk.exe without
the graphical interface, which makes it perfectly unusable
for this job :-(

I have found however a tool called NTsubst which will
create drive letters for directory trees whose partitions
do not even have an associated drive letter. Trying to
understand what this little program does, I had to dive
a bit deeper into the details of NT's architecture, and
I believe to have found a way:

- There must be one special acount which can log onto the
  machine and has the right to create symbolic links in
  the kernel object manager's namespace under \??\, aka
  \DosDevices\ (this is the one that will be used with the
  su command)

- All normal user accounts must _not_ be able to create
  such symbolic.

So my question is: do you think the above configuration
is possible (and what's the name of the access right I'll
have to restrict for normal users -- there are quite a
lot and I am not an expierenced NT admin, but originated
from Unix land)?

Unfortunately I have no NT4 machine at hand for the
moment, but I would try it on weekend.

Best regards

> .. above configuration is possible ..
hmm, if you say it works, I'll believe it ;-)

> .. and what's the name of the access right ..
I do not know either (UNIXman too), but I suggest to use cacls.exe, or better xcacls.exe, and check what changes in the registry.
But keep in mind that permissions are done in NTFS, while mapped drive letters are inh registry, IIRC
fremsleyAuthor Commented:
> I do not know either (UNIXman too), but I suggest to use cacls.exe

cacls.exe only deals with access control lists of files -- the \??\
directory is part of the virtual namespace controlled directly by the
kernel (it's a bit like the data mapped to the /proc file system
in Unix).

> But keep in mind that permissions are done in NTFS, while mapped
> drive letters are in registry

There are some values stored in the registry which the Win32 subsystem
uses to initialize the object manager's namespace, maybe somewhere is
also a hook to control ACLs for \??\. I assume it might be possible
to restrict rights there using the User Manager where there are options
like 'user may start/stop services' (I hope to find out the right one
in a try and error approach).

If you are interested in more information about these parts of NT,
there is a program called WinObj available for download at:
that can browse through the object manager's name space. Under \??\
you'll find all devices that are used by the Win32 subsystem, e.g. a
smbolic link called C:. You can also directly access those devices
using the following notation in cmd.exe, e.g:

  dir \\.\C:\
  dir \\.\CdRom0\
I'll check how far I can get this way next weekend, and if it
works this I'll accept your comment about su.exe as it will play
a crucial role in securing the system.

Best regards
had a short look at the registry, think the hive is in HKLM/System/Devices
Just a hint ...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 6
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now