Password protected folder on Windows 2008 server share?

Posted on 2013-06-28
Last Modified: 2013-07-02
I'm a network administrator, it's a Windows 2008 file server and Windows XP/7 network with domain. Each user login to domain with their password.
The problem is, how can I secure the folder by password, not by user permission.
We have a few managers, each manager has 2 or 3 assistants (or secretary), these assistants know the manager's Windows login password, so when the manager is not in the office, they can access their computer to get information to assistant our customers.
But each manager has some confidential documents on the share on file server which are not supposed to expose to these assistants. I think if I can put a password on these folders then the manager can access them but assistant.
In Outlook I have done it by assign password to PST files, but in Windows obviously there is no easy way to do it.
(Please do not recommend use different login on the computer, it's too complicated for the end user to understand user profiles.)
Question by:urbuddy
LVL 10

Assisted Solution

honestman31 earned 84 total points
ID: 39285535
There seems to be some confusion here about terminology. Regardless of what Ondrej has posted up to this point, there is no way in Windows (any version) to password protect a shared folder, it simply is not possible without some kind of 3rd party software

LVL 24

Assisted Solution

smckeown777 earned 83 total points
ID: 39285537
There are a few utilities to do this but none that I know of that are free...

Assisted Solution

dec0mpile earned 83 total points
ID: 39285554
Windows has the ability to encrypt folders. However, in your case this is not useful because they know the password and can log in as the user and still view the file.

The only option left in this case is to use third party application that you install on the user's PC to protect the folder.

I recommend:

But you can try to find free software that can do it, like: - I think it only does files
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

LVL 14

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 83 total points
ID: 39285568
@urbuddy: Consider the information security concepts of availability, integrity, confidentiality, and accountability.  Accountability would dictate that each assistant must be given their own unique username.  This way you can audit and track changes made by individual assistants while avoiding exposure of manager credentials and giving assistants plausible deniability.

Once the accountability and confidentiality considerations are taken into account, you may then apply permissions as needed.  Consider creating an assistants group for each manager and using that group object when applying permissions to relevant files.

In short, create a unique user for each assistant, create assistant groups as needed, have the managers change their passwords, and apply proper file permissions.

If this creates the perception of "too much administrative overhead" due to frequent turnover, etc., at the very least consider creating a dedicated "assistant" user object and apply permissions at that level, and then have your managers change their passwords.

No need to add additional layers of security if you incorporate best practices.

Assisted Solution

nate0187 earned 83 total points
ID: 39285597
Use peazip or any other zipper program to encrypt the folder with a password

Author Comment

ID: 39285644
Thank you all for the reply!
The problem is, there are a few proprietary software that installed on the manager's PC, the assistants need to access them. If I create a new user account for the assistant, then this would created new user profiles on the computer, these would involve in reconfiguration of the software, licensing, etc etc.
Logically the first solution to think about is to create user accounts for each assistants, but it just does not work in my case.
The most folder encryption utilities only work on local drive, not a network shared drive. These managers needs to share the "password protected folders". Not just encrypt a file.
I can setup another stand along file server (not part of domain) and store file there with different login password, that is my last resort if I can not get a better solution here.
I'll take a look at the links that provided here.
LVL 78

Accepted Solution

David Johnson, CD, MVP earned 84 total points
ID: 39285872
these assistants know the manager's Windows login password, so when the manager is not in the office, they can access their computer to get information to assistant our customers.

I know why this has been done (for reasons of convenience) and it breaks every tenet of windows security.  It is out and out the wrong way to do things. Since more than 1 person knows the username / password combination then there is no way that you can prove who did what and when. Was it the manager or was it one of the assistants? Which assistant? You will never be able to prove it. Even as an enterprise administrator I don't know your password. I can reset it but that action leaves an identifiable record and the user will know right away that the password has been changed since their password will no longer work.

Truecrypt is a good option for you in the short time just as long as the password is not again shared (for convenience)..  Security is always at odds with convenience.  Going through TSA scanners and removing ones shoes is inconvenient but in order to fly you have to put up with it.

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now