Password protected folder on Windows 2008 server share?

Posted on 2013-06-28
Medium Priority
Last Modified: 2013-07-02
I'm a network administrator, it's a Windows 2008 file server and Windows XP/7 network with domain. Each user login to domain with their password.
The problem is, how can I secure the folder by password, not by user permission.
We have a few managers, each manager has 2 or 3 assistants (or secretary), these assistants know the manager's Windows login password, so when the manager is not in the office, they can access their computer to get information to assistant our customers.
But each manager has some confidential documents on the share on file server which are not supposed to expose to these assistants. I think if I can put a password on these folders then the manager can access them but assistant.
In Outlook I have done it by assign password to PST files, but in Windows obviously there is no easy way to do it.
(Please do not recommend use different login on the computer, it's too complicated for the end user to understand user profiles.)
Question by:urbuddy
LVL 10

Assisted Solution

honestman31 earned 168 total points
ID: 39285535
There seems to be some confusion here about terminology. Regardless of what Ondrej has posted up to this point, there is no way in Windows (any version) to password protect a shared folder, it simply is not possible without some kind of 3rd party software

LVL 24

Assisted Solution

smckeown777 earned 166 total points
ID: 39285537
There are a few utilities to do this but none that I know of that are free...


Assisted Solution

dec0mpile earned 166 total points
ID: 39285554
Windows has the ability to encrypt folders. However, in your case this is not useful because they know the password and can log in as the user and still view the file.

The only option left in this case is to use third party application that you install on the user's PC to protect the folder.

I recommend: http://www.winability.com/folderguard/

But you can try to find free software that can do it, like:
http://www.axantum.com/Start.html - I think it only does files
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

LVL 15

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 166 total points
ID: 39285568
@urbuddy: Consider the information security concepts of availability, integrity, confidentiality, and accountability.  Accountability would dictate that each assistant must be given their own unique username.  This way you can audit and track changes made by individual assistants while avoiding exposure of manager credentials and giving assistants plausible deniability.

Once the accountability and confidentiality considerations are taken into account, you may then apply permissions as needed.  Consider creating an assistants group for each manager and using that group object when applying permissions to relevant files.

In short, create a unique user for each assistant, create assistant groups as needed, have the managers change their passwords, and apply proper file permissions.

If this creates the perception of "too much administrative overhead" due to frequent turnover, etc., at the very least consider creating a dedicated "assistant" user object and apply permissions at that level, and then have your managers change their passwords.

No need to add additional layers of security if you incorporate best practices.

Assisted Solution

nate0187 earned 166 total points
ID: 39285597
Use peazip or any other zipper program to encrypt the folder with a password

Author Comment

ID: 39285644
Thank you all for the reply!
The problem is, there are a few proprietary software that installed on the manager's PC, the assistants need to access them. If I create a new user account for the assistant, then this would created new user profiles on the computer, these would involve in reconfiguration of the software, licensing, etc etc.
Logically the first solution to think about is to create user accounts for each assistants, but it just does not work in my case.
The most folder encryption utilities only work on local drive, not a network shared drive. These managers needs to share the "password protected folders". Not just encrypt a file.
I can setup another stand along file server (not part of domain) and store file there with different login password, that is my last resort if I can not get a better solution here.
I'll take a look at the links that provided here.
LVL 85

Accepted Solution

David Johnson, CD, MVP earned 168 total points
ID: 39285872
these assistants know the manager's Windows login password, so when the manager is not in the office, they can access their computer to get information to assistant our customers.

I know why this has been done (for reasons of convenience) and it breaks every tenet of windows security.  It is out and out the wrong way to do things. Since more than 1 person knows the username / password combination then there is no way that you can prove who did what and when. Was it the manager or was it one of the assistants? Which assistant? You will never be able to prove it. Even as an enterprise administrator I don't know your password. I can reset it but that action leaves an identifiable record and the user will know right away that the password has been changed since their password will no longer work.

Truecrypt is a good option for you in the short time just as long as the password is not again shared (for convenience)..  Security is always at odds with convenience.  Going through TSA scanners and removing ones shoes is inconvenient but in order to fly you have to put up with it.

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits …
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question