Solved

Disable access to FAT partition

Posted on 2002-05-06
14
324 Views
Last Modified: 2013-12-14
Hi,

I'd like to disable access to a FAT partition under NT4
for normal users. The system however shall still be able
to allow access to network shares on that partition. Any
suggestions?

BTW.: I know how to disguise the existence of a partition
in the explorer, but that's not what I am looking for.
0
Comment
Question by:fremsley
  • 6
  • 6
  • 2
14 Comments
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
the only way I know is TWEAKUI where you can disable drives so that they won't appear in "My Computer".
'cause TWEAKUI simply changes the registry, there must be a setting there.

Hope following links is still alive:
http://www.microsoft.com/ntworkstation/downloads/PowerToys/Networking/NTTweakUI.asp
0
 
LVL 2

Author Comment

by:fremsley
Comment Utility
Thank you,

but that's the method I wrote I am not looking for because:

  a) the user is still allowed to access the drive if he
     knows the drive letter

  b) this is done in the user's registry tree, so he can
     always change it back

What I am trying to do is getting some degree of access
control (using the net share level restrictions) on a FAT
drive. The machine has installed NT4 and Linux and
unfortunately FAT partitions are the only file system
that both systems can read and write.

Best regards
0
 
LVL 2

Author Comment

by:fremsley
Comment Utility
I just found information about using the old NT 3.5 HPFS
driver with NT4. If it really does work the partition could
as well be formatted with a HPSF file system, since Linux
offers read/write access to HPFS, too.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
BTW, I'm using Linux's NTFS driver for read/write since years, without problems (didn't do extensive tests, just simple text files).
And there's also a ext2 explorer for NT (didn't test writing with it 'cause I won't trust NT:)
0
 
LVL 10

Expert Comment

by:HDWILKINS
Comment Utility
I don't know why this is a problem.

Highlight the Drive in My Computer, left click for properties and then goto Security.  Select the users that you want to have access to the entire drive (Administrators, etc.)

Then goto each shared directory, do the same and give whoever you want to have access rights to those shares the same.

Harry
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
HDWILKINS, it's FAT not NTFS
0
 
LVL 10

Expert Comment

by:HDWILKINS
Comment Utility
0
Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

 
LVL 2

Author Comment

by:fremsley
Comment Utility
> BTW, I'm using Linux's NTFS driver for read/write since years,
> without problems (didn't do extensive  tests, just simple text files).

I once tried the NTFS driver of the 2.2 kernel and the file system got
corrupted -- that's probably the reason why write support is still
called 'dangerous.'

> And there's also a ext2 explorer for NT (didn't test writing with it
> 'cause I won't trust NT:)

And I don't trust the users of the systems I have to administrate!
That's why I am trying to restrict access to the NT/Linux shared
volume. Linux does not respect access control lists on NTFS file
systems so security is, like with FAT partitions, all or nothing.
For the same reason giving the users access to ext2 file systems
under NT is not a solution.

FAT volumes however can be mounted using the umsdos driver adding
Unix access modes to the file system. Maybe an even better solution
would be using an HPFS file system (I tried the old NT 3.5 driver
this weekend and it seems to work perfectly) because the Linux
HPFS driver uses its extended attributes for Unix access control,
symlinks, etc.

Best regards
0
 
LVL 2

Author Comment

by:fremsley
Comment Utility
Hi,

yesterday I noticed an interesting feature of NT that might
help getting some sort of access control on FAT/HPFS
volumes.

Drive S: stores directories for all users and one called
'public' which all users should be able to access. I used
the subst command to redirect them to drive letters:

  subst H: S:\fremsley
  subst P: S:\public

After that I opened the Disk Manager (windisk.exe) and
removed the associated drive letter S: from the partition.
Now access to drive S: is not possible, the substituted
drive letters however still work well.

Is there any way to run windisk in batch mode with
system access rights (I don't want the normal users to
run it explicitly) at each login?
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 200 total points
Comment Utility
> Is there any way to run windisk in batch mode with system access rights

Install su.exe and the corresponding service from NT's ResKit. And use su like you do on UNIX :-)
0
 
LVL 2

Author Comment

by:fremsley
Comment Utility
Hello ahoffmann,

That's half the solution already, but -- as I have found
out meanwhile -- there is no way to run windesk.exe without
the graphical interface, which makes it perfectly unusable
for this job :-(

I have found however a tool called NTsubst which will
create drive letters for directory trees whose partitions
do not even have an associated drive letter. Trying to
understand what this little program does, I had to dive
a bit deeper into the details of NT's architecture, and
I believe to have found a way:

- There must be one special acount which can log onto the
  machine and has the right to create symbolic links in
  the kernel object manager's namespace under \??\, aka
  \DosDevices\ (this is the one that will be used with the
  su command)

- All normal user accounts must _not_ be able to create
  such symbolic.

So my question is: do you think the above configuration
is possible (and what's the name of the access right I'll
have to restrict for normal users -- there are quite a
lot and I am not an expierenced NT admin, but originated
from Unix land)?

Unfortunately I have no NT4 machine at hand for the
moment, but I would try it on weekend.

Best regards

0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> .. above configuration is possible ..
hmm, if you say it works, I'll believe it ;-)

> .. and what's the name of the access right ..
I do not know either (UNIXman too), but I suggest to use cacls.exe, or better xcacls.exe, and check what changes in the registry.
But keep in mind that permissions are done in NTFS, while mapped drive letters are inh registry, IIRC
0
 
LVL 2

Author Comment

by:fremsley
Comment Utility
> I do not know either (UNIXman too), but I suggest to use cacls.exe

cacls.exe only deals with access control lists of files -- the \??\
directory is part of the virtual namespace controlled directly by the
kernel (it's a bit like the data mapped to the /proc file system
in Unix).

> But keep in mind that permissions are done in NTFS, while mapped
> drive letters are in registry

There are some values stored in the registry which the Win32 subsystem
uses to initialize the object manager's namespace, maybe somewhere is
also a hook to control ACLs for \??\. I assume it might be possible
to restrict rights there using the User Manager where there are options
like 'user may start/stop services' (I hope to find out the right one
in a try and error approach).

If you are interested in more information about these parts of NT,
there is a program called WinObj available for download at:

  http://www.systeminternals.com/
 
that can browse through the object manager's name space. Under \??\
you'll find all devices that are used by the Win32 subsystem, e.g. a
smbolic link called C:. You can also directly access those devices
using the following notation in cmd.exe, e.g:

  dir \\.\C:\
or
  dir \\.\CdRom0\
 
I'll check how far I can get this way next weekend, and if it
works this I'll accept your comment about su.exe as it will play
a crucial role in securing the system.

Best regards
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
had a short look at the registry, think the hive is in HKLM/System/Devices
Just a hint ...
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now