mcgeorge40
asked on
limit drive access to certain users
I own a small mortgage company. Because I deal with a lot of sensitive information (mothers maiden name, social security, place of birth, etc.), it would be very easy for someone to steal someone's entire identity with the information on my computer.
My underwriter has two hard drives on her computer. The C drive (which contains the operating system- XP) and an addition D drive, which is just a 120MB storage drive. The D: drive contains the sensitive info.
Our computers are all networked in the office. The D drive on the underwriters computer is not "shared" on the network.
However, if someone logs onto the underwriter's computer itself, they can certainly "see" the D drive, and access the files.
How can I make the D drive invisible to everyone but one certain user.
I have a small company, a dozen employees, so we are just networked together by "sharing" through XP. We don't have the typical office network. A child could have set this up.
Thank you in advance!
My underwriter has two hard drives on her computer. The C drive (which contains the operating system- XP) and an addition D drive, which is just a 120MB storage drive. The D: drive contains the sensitive info.
Our computers are all networked in the office. The D drive on the underwriters computer is not "shared" on the network.
However, if someone logs onto the underwriter's computer itself, they can certainly "see" the D drive, and access the files.
How can I make the D drive invisible to everyone but one certain user.
I have a small company, a dozen employees, so we are just networked together by "sharing" through XP. We don't have the typical office network. A child could have set this up.
Thank you in advance!
Basically, right-click the folder, choose properties, advanced
Encrypt contents to secure data...file system must be NTFS.
Encrypt contents to secure data...file system must be NTFS.
>>The D drive on the underwriters computer is not "shared" on the network.<<
Don't be too sure... The root of each drive is shared 'administratively' by default.
Read more here: http://support.microsoft.com/?kbid=314984
Don't be too sure... The root of each drive is shared 'administratively' by default.
Read more here: http://support.microsoft.com/?kbid=314984
An example procedure as follows:
Setup 2 users on the PC that data needs protecting: (User1) and (User2)
Do share the D: drive but only allow full access to User1
Deny access to all other users and that means only User1 will be able to access the data on D:
Setup 2 users on the PC that data needs protecting: (User1) and (User2)
Do share the D: drive but only allow full access to User1
Deny access to all other users and that means only User1 will be able to access the data on D:
ASKER
5t0rmUK-- I know that! How do I do it? Specifically...
While the steps mentioned above will Encrypt the data, you asked how to hide the drive. A 3rd party tool is necessary for this.
I recomend Encrypted Magic Folders: http://www.pc-magic.com/dl.htm#emf
While EFS from M$ is a good product, it is a PAIN to the average user to LockDown correctly. Who knows, one of the people you work for may have asked, or will ask on this forum how to get access, and they'll be told how to get access...
https://www.experts-exchange.com/questions/20930199/Encrypted-files-under-a-domain-that-no-longer-exists.html
https://www.experts-exchange.com/questions/20945638/Windows-Encryption.html
MagicFolders is much simpler, and it not only accomplishes the goal of hidding, but adds the encryption on top of that.
The only problem with that is it doesn't close the Admin and drive shares hidden using the dollar sign ($)
Add the following to the registry to turn off hidden shares:
HKEY_LOCAL_MACHINE\System\
On Windows 2000/2003 Server add the following key AutoShareServer with the REG_DWORD value of 0.
On Windows 2000/XP Workstation add the following key AutoShareWks with the REG_DWORD value of 0.
Connecting to hidden shares is done by going to the run line and typing \\PC_name\c$ or \\PC_Name\d$ where pc name is the name of the pc your trying to connect to. Magic folders also allows you to hide folders as well as entire drives.
I am testing to see if you can use multiple person's to get into hidden folders from other PC's... if not EFS would be the way to go, if best practices are followed.
-rich
I recomend Encrypted Magic Folders: http://www.pc-magic.com/dl.htm#emf
While EFS from M$ is a good product, it is a PAIN to the average user to LockDown correctly. Who knows, one of the people you work for may have asked, or will ask on this forum how to get access, and they'll be told how to get access...
https://www.experts-exchange.com/questions/20930199/Encrypted-files-under-a-domain-that-no-longer-exists.html
https://www.experts-exchange.com/questions/20945638/Windows-Encryption.html
MagicFolders is much simpler, and it not only accomplishes the goal of hidding, but adds the encryption on top of that.
The only problem with that is it doesn't close the Admin and drive shares hidden using the dollar sign ($)
Add the following to the registry to turn off hidden shares:
HKEY_LOCAL_MACHINE\System\
On Windows 2000/2003 Server add the following key AutoShareServer with the REG_DWORD value of 0.
On Windows 2000/XP Workstation add the following key AutoShareWks with the REG_DWORD value of 0.
Connecting to hidden shares is done by going to the run line and typing \\PC_name\c$ or \\PC_Name\d$ where pc name is the name of the pc your trying to connect to. Magic folders also allows you to hide folders as well as entire drives.
I am testing to see if you can use multiple person's to get into hidden folders from other PC's... if not EFS would be the way to go, if best practices are followed.
-rich
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
mcgeorge40, sorry I thought that you wanted to know the process that you need to secure your data on the local PC / network.
tbh if you have a small business with sensitive data and cannot actually perform the simple steps of creating a share drive and setting up user permissions, my advice would be to obtain the sevices of an I.T. specialist.
There is only so much information that you can be supplied with. If you do not want to pay the £60 for an engineer to setup a share drive / permissions perhaps you should invest in a book. I do not think you could be taught how to perform this process in only a paragraph of text.
I am not trying to be insulting or rude towards you, it's just that if the data is as sensitive as you say, do not try to penny pinch on setting up adequate security on your PC's & LAN.
Regards.
Mike.
tbh if you have a small business with sensitive data and cannot actually perform the simple steps of creating a share drive and setting up user permissions, my advice would be to obtain the sevices of an I.T. specialist.
There is only so much information that you can be supplied with. If you do not want to pay the £60 for an engineer to setup a share drive / permissions perhaps you should invest in a book. I do not think you could be taught how to perform this process in only a paragraph of text.
I am not trying to be insulting or rude towards you, it's just that if the data is as sensitive as you say, do not try to penny pinch on setting up adequate security on your PC's & LAN.
Regards.
Mike.
ASKER
5t0rmUK -- I don't take it as rude. You are right... If the data is ultra-sensitive, then I should invest in an IT person.
However, truth be told, I probably don't need any major security measures. The liklihood that one of my long-time, very well-paid employees would commit a felony (stealing identity) is highly, highly unlikely.
I wasn't looking for major security. I just want to make it slightly difficult for someone to see the D drive. Nobody in my office is a thief and nobody in my office is particularly good with computers.
I will try following some of the links that everyone has posted. However, I am afraid this will all be "greek" to me. I followed one link and was lost after a couple of sentences.
I am really surprised that my operating system doesn't have something very simple built in. Like something in the "users" control panel! This seems like it would be a very common thing. Just like something you would find in the control panel. Maybe I'm the crazy one...
However, truth be told, I probably don't need any major security measures. The liklihood that one of my long-time, very well-paid employees would commit a felony (stealing identity) is highly, highly unlikely.
I wasn't looking for major security. I just want to make it slightly difficult for someone to see the D drive. Nobody in my office is a thief and nobody in my office is particularly good with computers.
I will try following some of the links that everyone has posted. However, I am afraid this will all be "greek" to me. I followed one link and was lost after a couple of sentences.
I am really surprised that my operating system doesn't have something very simple built in. Like something in the "users" control panel! This seems like it would be a very common thing. Just like something you would find in the control panel. Maybe I'm the crazy one...
ASKER
sirbounty-- following your instructions... When I right click and bring up properties for the drive, there is no "advanced" tab.
Well, first thing - if you don't want anyone to get at the D drive remotely - you can disable administrative shares (Which D$ would be) via a registry hack (see below).
OR, if you don't have any need for this system to be 'sharing' on the network at all, simply click Start->Run->Services.msc and scroll down to find the server service. Stop it and set it to disabled (double-click it) and no one will be able to get to it remotely...
To lock the files from other's access - this should be by default. The user and the local administrators would have access. However, to prevent this - let's say you want to protect Susan's My Documents folder.
Log in as Susan
Click Start->Run->%userprofile%
Right-click My Documents and choose properties
Click the Security tab
Now make sure in Group or User names that Susan's name is listed. Highlight it and make sure that Full Control is enabled.
SYSTEM can also remain in this listing - but remove access for any other account that you don't want to be able to see her My Documents folder.
Click OK
To disable the administrative shares:
Click Start->Run->Regedit
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\
In the right-side panel, right-click and click New/Dword Value
Change the highlighted "New Value #1" to read (without quotes) "AutoShareWks"
Press Enter to save the name and then double-click it to assign it a decimal value of 0. Reboot
OR, if you don't have any need for this system to be 'sharing' on the network at all, simply click Start->Run->Services.msc and scroll down to find the server service. Stop it and set it to disabled (double-click it) and no one will be able to get to it remotely...
To lock the files from other's access - this should be by default. The user and the local administrators would have access. However, to prevent this - let's say you want to protect Susan's My Documents folder.
Log in as Susan
Click Start->Run->%userprofile%
Right-click My Documents and choose properties
Click the Security tab
Now make sure in Group or User names that Susan's name is listed. Highlight it and make sure that Full Control is enabled.
SYSTEM can also remain in this listing - but remove access for any other account that you don't want to be able to see her My Documents folder.
Click OK
To disable the administrative shares:
Click Start->Run->Regedit
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\
In the right-side panel, right-click and click New/Dword Value
Change the highlighted "New Value #1" to read (without quotes) "AutoShareWks"
Press Enter to save the name and then double-click it to assign it a decimal value of 0. Reboot
Are you running XP Home edition? I don't believe encryption is available except in Pro...
mcgeorge40 - what ended up working for you here?
ASKER
Thanks to everyone. I think you all gave me too much credit for understanding computers... I just ain't that bright.
However richrumble's answer solved my problem in five minutes (literally) and it is software that a child could use.
That was all I wanted. To hide the drive. The utility he recommended did just that, quickly and easily.
Thanks again to everyone.
However richrumble's answer solved my problem in five minutes (literally) and it is software that a child could use.
That was all I wanted. To hide the drive. The utility he recommended did just that, quickly and easily.
Thanks again to everyone.
http://www.microsoft.com/resources/documentation/windows/xp/all/reskit/en-us/prnb_efs_awzg.asp