Solved

limit drive access to certain users

Posted on 2004-04-24
15
1,035 Views
Last Modified: 2010-04-11
I own a small mortgage company.  Because I deal with a lot of sensitive information (mothers maiden name, social security, place of birth, etc.), it would be very easy for someone to steal someone's entire identity with the information on my computer.

My underwriter has two hard drives on her computer.  The C drive (which contains the operating system- XP) and an addition D drive, which is just a 120MB storage drive.  The D: drive contains the sensitive info.

Our computers are all networked in the office.  The D drive on the underwriters computer is not "shared" on the network.

However, if someone logs onto the underwriter's computer itself, they can certainly "see" the D drive, and access the files.

How can I make the D drive invisible to everyone but one certain user.

I have a small company, a dozen employees, so we are just networked together by "sharing" through XP.  We don't have the typical office network.  A child could have set this up.

Thank you in advance!
0
Comment
Question by:mcgeorge40
  • 7
  • 4
  • 2
  • +1
15 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 10908969
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10908977
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10908981
Basically, right-click the folder, choose properties, advanced
Encrypt contents to secure data...file system must be NTFS.
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 67

Expert Comment

by:sirbounty
ID: 10908996
>>The D drive on the underwriters computer is not "shared" on the network.<<
Don't be too sure...  The root of each drive is shared 'administratively' by default.
Read more here: http://support.microsoft.com/?kbid=314984
0
 
LVL 2

Expert Comment

by:5t0rmUK
ID: 10909082
An example procedure as follows:

Setup 2 users on the PC that data needs protecting: (User1) and (User2)

Do share the D: drive but only allow full access to User1

Deny access to all other users and that means only User1 will be able to access the data on D:
0
 

Author Comment

by:mcgeorge40
ID: 10909091
5t0rmUK--  I know that!  How do I do it?  Specifically...
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10909514
While the steps mentioned above will Encrypt the data, you asked how to hide the drive. A 3rd party tool is necessary for this.
I recomend Encrypted Magic Folders: http://www.pc-magic.com/dl.htm#emf
While EFS from M$ is a good product, it is a PAIN to the average user to LockDown correctly. Who knows, one of the people you work for may have asked, or will ask on this forum how to get access, and they'll be told how to get access...
http://experts-exchange.com/Security/Win_Security/Q_20930199.html
http://experts-exchange.com/Security/Win_Security/Q_20945638.html

MagicFolders is much simpler, and it not only accomplishes the goal of hidding, but adds the encryption on top of that.
The only problem with that is it doesn't close the Admin and drive shares hidden using the dollar sign ($)

Add the following to the registry to turn off hidden shares:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters

On Windows 2000/2003 Server add the following key AutoShareServer with the REG_DWORD value of 0.
On Windows 2000/XP Workstation add the following key AutoShareWks with the REG_DWORD value of 0.

Connecting to hidden shares is done by going to the run line and typing \\PC_name\c$ or \\PC_Name\d$  where pc name is the name of the pc your trying to connect to. Magic folders also allows you to hide folders as well as entire drives.

I am testing to see if you can use multiple person's to get into hidden folders from other PC's... if not EFS would be the way to go, if best practices are followed.
-rich
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 100 total points
ID: 10909563
also to help stormUK, http://www.practicallynetworked.com/sharing/xp_filesharing/index.htm a good 9 step guide to how to use file sharing, it explains NTFS permissions and Share permissions (the two work in concert to lock down folders that are shared). EFS in addition would keep things nice and secure. It turns out that EMF doesn't work as well remotely as I'd hoped, it is good on the PC itself, or if you TerminalService (Xp calls it RemoteDesktop... start>programs,accessories,communications) into the PC. TS/RD works for XP-Pro and server 2000 and 2003. Otherwise VNC is a good remote control program.
EFS best practices...
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
I actually prefer winzip or winrar for ease of use and setup, that is Zip up the files into one archive, or multiples, and assign a password over 10 char's and it'll take 2-5 years to crack it with todays speeds. NTFS and share premissions are your first step, then encryption.
-rich
0
 
LVL 2

Expert Comment

by:5t0rmUK
ID: 10909720
mcgeorge40, sorry I thought that you wanted to know the process that you need to secure your data on the local PC / network.

tbh if you have a small business with sensitive data and cannot actually perform the simple steps of creating a share drive and setting up user permissions, my advice would be to obtain the sevices of an I.T. specialist.

There is only so much information that you can be supplied with.  If you do not want to pay the £60 for an engineer to setup a share drive / permissions perhaps you should invest in a book.  I do not think you could be taught how to perform this process in only a paragraph of text.

I am not trying to be insulting or rude towards you, it's just that if the data is as sensitive as you say, do not try to penny pinch on setting up adequate security on your PC's & LAN.

Regards.

Mike.
0
 

Author Comment

by:mcgeorge40
ID: 10914448
5t0rmUK -- I don't take it as rude.  You are right... If the data is ultra-sensitive, then I should invest in an IT person.

However, truth be told, I probably don't need any major security measures.  The liklihood that one of my long-time, very well-paid employees would commit a felony (stealing identity) is highly, highly unlikely.

I wasn't looking for major security.  I just want to make it slightly difficult for someone to see the D drive.  Nobody in my office is a thief and nobody in my office is particularly good with computers.

I will try following some of the links that everyone has posted.  However, I am afraid this will all be "greek" to me.  I followed one link and was lost after a couple of sentences.  

I am really surprised that my operating system doesn't have something very simple built in.  Like something in the "users" control panel!  This seems like it would be a very common thing.  Just like something you would find in the control panel.  Maybe I'm the crazy one...
0
 

Author Comment

by:mcgeorge40
ID: 10914487
sirbounty-- following your instructions...  When I right click and bring up properties for the drive, there is no "advanced" tab.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10914679
Well, first thing - if you don't want anyone to get at the D drive remotely - you can disable administrative shares (Which D$ would be) via a registry hack (see below).
OR, if you don't have any need for this system to be 'sharing' on the network at all, simply click Start->Run->Services.msc and scroll down to find the server service.  Stop it and set it to disabled (double-click it) and no one will be able to get to it remotely...

To lock the files from other's access - this should be by default.  The user and the local administrators would have access.  However, to prevent this - let's say you want to protect Susan's My Documents folder.
Log in as Susan
Click Start->Run->%userprofile%
Right-click My Documents and choose properties
Click the Security tab
Now make sure in Group or User names that Susan's name is listed.  Highlight it and make sure that Full Control is enabled.
SYSTEM can also remain in this listing - but remove access for any other account that you don't want to be able to see her My Documents folder.
Click OK

To disable the administrative shares:
Click Start->Run->Regedit
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
In the right-side panel, right-click and click New/Dword Value
Change the highlighted "New Value #1" to read (without quotes) "AutoShareWks"
Press Enter to save the name and then double-click it to assign it a decimal value of 0.  Reboot
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10914703
Are you running XP Home edition?  I don't believe encryption is available except in Pro...
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10921595
mcgeorge40 - what ended up working for you here?
0
 

Author Comment

by:mcgeorge40
ID: 10921603
Thanks to everyone.  I think you all gave me too much credit for understanding computers... I just ain't that bright.

However richrumble's answer solved my problem in five minutes (literally) and it is software that a child could use.

That was all I wanted.  To hide the drive.  The utility he recommended did just that, quickly and easily.

Thanks again to everyone.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The next five years are sure to bring developments that are just astonishing, and we will continue to try to find the balance between connectivity and security. Here are five major technological developments from the last five years and some predict…
OnPage: Incident management and secure messaging on your smartphone
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question