Solved

limit drive access to certain users

Posted on 2004-04-24
15
1,032 Views
Last Modified: 2010-04-11
I own a small mortgage company.  Because I deal with a lot of sensitive information (mothers maiden name, social security, place of birth, etc.), it would be very easy for someone to steal someone's entire identity with the information on my computer.

My underwriter has two hard drives on her computer.  The C drive (which contains the operating system- XP) and an addition D drive, which is just a 120MB storage drive.  The D: drive contains the sensitive info.

Our computers are all networked in the office.  The D drive on the underwriters computer is not "shared" on the network.

However, if someone logs onto the underwriter's computer itself, they can certainly "see" the D drive, and access the files.

How can I make the D drive invisible to everyone but one certain user.

I have a small company, a dozen employees, so we are just networked together by "sharing" through XP.  We don't have the typical office network.  A child could have set this up.

Thank you in advance!
0
Comment
Question by:mcgeorge40
  • 7
  • 4
  • 2
  • +1
15 Comments
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
0
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
0
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
Basically, right-click the folder, choose properties, advanced
Encrypt contents to secure data...file system must be NTFS.
0
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
>>The D drive on the underwriters computer is not "shared" on the network.<<
Don't be too sure...  The root of each drive is shared 'administratively' by default.
Read more here: http://support.microsoft.com/?kbid=314984
0
 
LVL 2

Expert Comment

by:5t0rmUK
Comment Utility
An example procedure as follows:

Setup 2 users on the PC that data needs protecting: (User1) and (User2)

Do share the D: drive but only allow full access to User1

Deny access to all other users and that means only User1 will be able to access the data on D:
0
 

Author Comment

by:mcgeorge40
Comment Utility
5t0rmUK--  I know that!  How do I do it?  Specifically...
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
While the steps mentioned above will Encrypt the data, you asked how to hide the drive. A 3rd party tool is necessary for this.
I recomend Encrypted Magic Folders: http://www.pc-magic.com/dl.htm#emf
While EFS from M$ is a good product, it is a PAIN to the average user to LockDown correctly. Who knows, one of the people you work for may have asked, or will ask on this forum how to get access, and they'll be told how to get access...
http://experts-exchange.com/Security/Win_Security/Q_20930199.html
http://experts-exchange.com/Security/Win_Security/Q_20945638.html

MagicFolders is much simpler, and it not only accomplishes the goal of hidding, but adds the encryption on top of that.
The only problem with that is it doesn't close the Admin and drive shares hidden using the dollar sign ($)

Add the following to the registry to turn off hidden shares:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters

On Windows 2000/2003 Server add the following key AutoShareServer with the REG_DWORD value of 0.
On Windows 2000/XP Workstation add the following key AutoShareWks with the REG_DWORD value of 0.

Connecting to hidden shares is done by going to the run line and typing \\PC_name\c$ or \\PC_Name\d$  where pc name is the name of the pc your trying to connect to. Magic folders also allows you to hide folders as well as entire drives.

I am testing to see if you can use multiple person's to get into hidden folders from other PC's... if not EFS would be the way to go, if best practices are followed.
-rich
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 38

Accepted Solution

by:
Rich Rumble earned 100 total points
Comment Utility
also to help stormUK, http://www.practicallynetworked.com/sharing/xp_filesharing/index.htm a good 9 step guide to how to use file sharing, it explains NTFS permissions and Share permissions (the two work in concert to lock down folders that are shared). EFS in addition would keep things nice and secure. It turns out that EMF doesn't work as well remotely as I'd hoped, it is good on the PC itself, or if you TerminalService (Xp calls it RemoteDesktop... start>programs,accessories,communications) into the PC. TS/RD works for XP-Pro and server 2000 and 2003. Otherwise VNC is a good remote control program.
EFS best practices...
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
I actually prefer winzip or winrar for ease of use and setup, that is Zip up the files into one archive, or multiples, and assign a password over 10 char's and it'll take 2-5 years to crack it with todays speeds. NTFS and share premissions are your first step, then encryption.
-rich
0
 
LVL 2

Expert Comment

by:5t0rmUK
Comment Utility
mcgeorge40, sorry I thought that you wanted to know the process that you need to secure your data on the local PC / network.

tbh if you have a small business with sensitive data and cannot actually perform the simple steps of creating a share drive and setting up user permissions, my advice would be to obtain the sevices of an I.T. specialist.

There is only so much information that you can be supplied with.  If you do not want to pay the £60 for an engineer to setup a share drive / permissions perhaps you should invest in a book.  I do not think you could be taught how to perform this process in only a paragraph of text.

I am not trying to be insulting or rude towards you, it's just that if the data is as sensitive as you say, do not try to penny pinch on setting up adequate security on your PC's & LAN.

Regards.

Mike.
0
 

Author Comment

by:mcgeorge40
Comment Utility
5t0rmUK -- I don't take it as rude.  You are right... If the data is ultra-sensitive, then I should invest in an IT person.

However, truth be told, I probably don't need any major security measures.  The liklihood that one of my long-time, very well-paid employees would commit a felony (stealing identity) is highly, highly unlikely.

I wasn't looking for major security.  I just want to make it slightly difficult for someone to see the D drive.  Nobody in my office is a thief and nobody in my office is particularly good with computers.

I will try following some of the links that everyone has posted.  However, I am afraid this will all be "greek" to me.  I followed one link and was lost after a couple of sentences.  

I am really surprised that my operating system doesn't have something very simple built in.  Like something in the "users" control panel!  This seems like it would be a very common thing.  Just like something you would find in the control panel.  Maybe I'm the crazy one...
0
 

Author Comment

by:mcgeorge40
Comment Utility
sirbounty-- following your instructions...  When I right click and bring up properties for the drive, there is no "advanced" tab.
0
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
Well, first thing - if you don't want anyone to get at the D drive remotely - you can disable administrative shares (Which D$ would be) via a registry hack (see below).
OR, if you don't have any need for this system to be 'sharing' on the network at all, simply click Start->Run->Services.msc and scroll down to find the server service.  Stop it and set it to disabled (double-click it) and no one will be able to get to it remotely...

To lock the files from other's access - this should be by default.  The user and the local administrators would have access.  However, to prevent this - let's say you want to protect Susan's My Documents folder.
Log in as Susan
Click Start->Run->%userprofile%
Right-click My Documents and choose properties
Click the Security tab
Now make sure in Group or User names that Susan's name is listed.  Highlight it and make sure that Full Control is enabled.
SYSTEM can also remain in this listing - but remove access for any other account that you don't want to be able to see her My Documents folder.
Click OK

To disable the administrative shares:
Click Start->Run->Regedit
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
In the right-side panel, right-click and click New/Dword Value
Change the highlighted "New Value #1" to read (without quotes) "AutoShareWks"
Press Enter to save the name and then double-click it to assign it a decimal value of 0.  Reboot
0
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
Are you running XP Home edition?  I don't believe encryption is available except in Pro...
0
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
mcgeorge40 - what ended up working for you here?
0
 

Author Comment

by:mcgeorge40
Comment Utility
Thanks to everyone.  I think you all gave me too much credit for understanding computers... I just ain't that bright.

However richrumble's answer solved my problem in five minutes (literally) and it is software that a child could use.

That was all I wanted.  To hide the drive.  The utility he recommended did just that, quickly and easily.

Thanks again to everyone.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now