Solved

keeping a folder private on win 7

Posted on 2014-02-19
15
315 Views
Last Modified: 2014-03-11
I posted a question a while ago:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_28350673.html

asking about an app to encrypt / decrypt a folder on a shared win 7 machine.  I think the end result of that was to set up different users and let NTFS deal with keeping that folder private.

As 1 person mentioned in that question, the folder is secure as long as the others are not local or domain admins.  This is a workgroup.

Even if admin A goes into the properties for the files / folders he wants to protect and removes all other users permissions,  all user B has to do is click on the folder, get the message they don't have rights to the folder and click the continue button to get permission!? right?

Does putting deny rights help any?

The problem is that this is a break fix client.  If I make user B a standard user rather than administrator as they are currently, as a way to keep them out of that folder, then they can't apply patches, etc.  The machine is 99.9% of the time signed in as user B.

thanks!
0
Comment
  • 4
  • 3
  • 3
  • +3
15 Comments
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 100 total points
ID: 39870469
If the folder in User B has permissions only to User B, then User A cannot access the file. Right clicking will do nothing.

If an Admin tries to access, they could take ownership.

I do not let regular users be administrators. Too many things go wrong so that there is no savings. Windows can do updates on shutdown.

If the documents are Office documents, then you can use passwords. In Windows, you can encrypt at the folder level and that works, but an Admin may be able to remove the folder level encryption.

So if you must have user administrators (bad practice if you can avoid it), then password protect the files. Failing that, consider third party encryption applications. I have done the former (and it works) but not the latter.
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39870496
yeah, admin role = bad for regular user.

Makes total sense, but whenever I try that, things just don't work right / problems come up - they can't install apps they want to install, can't update things like acrobat, flash, etc and they get pestered about that. and they pester me : )

docs might be word, excel, and other things, so passwords may or may not work.  I thought the latter - a encryption app would work (that was the gist of the thread I posted to above), but concensus was that NTFS was a better way to go.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39870512
Admins can normally override NTFS permissions.

Symantec has encryption software, winmagic.com also has encryption software.  Jetico below looks reasonable.

http://www.jetico.com/products/enterprise-data-protection/bestcrypt-container-encryption?gclid=CP-uiODD2LwCFaxxOgodcRYArA
0
 
LVL 14

Expert Comment

by:comfortjeanius
ID: 39870630
You can use Secret Disk
0
 
LVL 14

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 200 total points
ID: 39870722
NTFS permissions are insufficient if you're not using encryption.  Permissions are enforced by the Local Security Authority Subsystem Service (LSASS), which is easily bypassed.  You'll need to combine NTFS permissions with encryption.  Anyone with physical access to the machine can access the file, without the need to authenticate.  At the very least consider EFS and BitLocker.

My recommendation would be to use TrueCrypt, preferably stored on an IronKey in portable mode, using AES-Twofish-Serpent cascading ciphers.

Best practice would be to use Secure Boot, leveraging Unified Extensible Firmware Interface (UEFI), encrypting the entire drive, using an enhanced BIOS password security chip, and configuring your OS drive as the exclusive boot device.

Various authentication/permission bypass tools.

RawCopy
http://reboot.pro/files/file/318-rawcopy/

ntfscopy
https://tzworks.net/prototype_page.php?proto_id=9

Kon-Boot
http://thelead82.com/products-win.html
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39875022
It seems you did not believe my comments on your last thread. Let me repeat: If I was admin on your machine and wanted to spy on your super-duper secured and encrypted folder, I would install a key logger that intercepts both your logon- and crypto password. And I'm in. This keylogger can be hidden from view, also.
0
 
LVL 14

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 200 total points
ID: 39875110
The vulnerability McKnife identifies correlates to the strength of the authentication method (or lack thereof.)  In reality, anyone with physical access to the machine could install a hardware keylogger-- no malware to detect and no privileges (admin or otherwise) required.

If the data is valuable and truly needs to remain confidential, then the strength of the authentication should be increased to mitigate against well known vulnerabilities (such as keyloggers) and other defense in depth strategies, such as isolation (air gapped machines, etc.), strong physical controls, etc.  

At the end of the day its about balancing risk.

Strength of Authentication Method
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 53

Expert Comment

by:McKnife
ID: 39875127
There's not only keyloggers but also screen recording possible. No way to stop an admin.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39875143
Yes, as noted above Admins can override NTFS security.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39875152
@McKnife, how would key and screen logging compromise a token device or biometric reader?  Granted, you could await until legitimate authentication occurs to exfiltrate decrypted data, but that's an entirely different approach than mere logging of screen and keyboard data.  As with asymmetric ciphers, you'd still need to compromise the private key (if possible (e.g. HSM)), which isn't necessarily displayed on the screen nor logged by the keyboard.  I suppose my point is mere compromise of HIDs is insufficient with stronger authentication methods.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39875238
Screen recording would enable me to see all that you see, no matter what protection you use for your data. But let's not dig in too deep, maybe the author should come back, first.
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39875820
yeah guys, thanks! but we aren't guarding nuclear launch codes.  And there's those clichés that if someone can get physical access to your machine, it's not your machine anymore.

This is for a manager at a small restaurant with 1 computer in the office that asst managers and others have access to.

Yeah, if someone wanted to get the info, this situation leaves them vulnerable.  At least for me, it's tough trying to explain the degrees of risk to a non-techie.  I get what  you are saying - I am just trying to find a balance of security and ease of use.  2 extremes I guess.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39876111
No, perfectly with you.
I was just wondering because it seemed you were asking a follow up question.
Having the folder encrypted raises the effort to using a keylogger - if that is difficult enough to stop people, then why not.
0
 
LVL 14

Assisted Solution

by:comfortjeanius
comfortjeanius earned 100 total points
ID: 39877473
You can user Secret Disk
Secret Disk can create additional disk on your PC, which can be invisible and locked with a password within one second. You can make your private files and folders invisible and protected.

You don't need to format your hard disk or make any changes to boot sector. Our program will create new disk automatically very quickly. You can make this disk invisible, including all contents, and protect it with a password. You can store any files and folders on the disk. Secret disk works as usual hard disk and compatible with any other programs which you have installed. You can have more than one secret disk and you can also choose disk letter.

In case of power outage or fatal error of OS Windows your secret disk will be locked and become invisible automatically. It happens automatically because information are stored in the virtual memory. Secret Disk does not encrypt any files, it just limits access to your files (you can use password). Software ties virtual disk to your files. This will provide you enough security to hide your files from any person.

They have a free version and Pro version....
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 100 total points
ID: 39891621
Glad I saw this follow-up to our previous discussion about this issue.

I think your best course of action is to make USER B a STANDARD USER.

You only have ONE user (the manager) on that machine who needs to protect their files, right?  Keep that user as a local admin, and if there are updates which need to be applied, they can be done by the manager without bugging you.  

Problem solved.

Jeff
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now