Solved

keeping a folder private on win 7

Posted on 2014-02-19
15
324 Views
Last Modified: 2014-03-11
I posted a question a while ago:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_28350673.html

asking about an app to encrypt / decrypt a folder on a shared win 7 machine.  I think the end result of that was to set up different users and let NTFS deal with keeping that folder private.

As 1 person mentioned in that question, the folder is secure as long as the others are not local or domain admins.  This is a workgroup.

Even if admin A goes into the properties for the files / folders he wants to protect and removes all other users permissions,  all user B has to do is click on the folder, get the message they don't have rights to the folder and click the continue button to get permission!? right?

Does putting deny rights help any?

The problem is that this is a break fix client.  If I make user B a standard user rather than administrator as they are currently, as a way to keep them out of that folder, then they can't apply patches, etc.  The machine is 99.9% of the time signed in as user B.

thanks!
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +3
15 Comments
 
LVL 95

Assisted Solution

by:John Hurst
John Hurst earned 100 total points
ID: 39870469
If the folder in User B has permissions only to User B, then User A cannot access the file. Right clicking will do nothing.

If an Admin tries to access, they could take ownership.

I do not let regular users be administrators. Too many things go wrong so that there is no savings. Windows can do updates on shutdown.

If the documents are Office documents, then you can use passwords. In Windows, you can encrypt at the folder level and that works, but an Admin may be able to remove the folder level encryption.

So if you must have user administrators (bad practice if you can avoid it), then password protect the files. Failing that, consider third party encryption applications. I have done the former (and it works) but not the latter.
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39870496
yeah, admin role = bad for regular user.

Makes total sense, but whenever I try that, things just don't work right / problems come up - they can't install apps they want to install, can't update things like acrobat, flash, etc and they get pestered about that. and they pester me : )

docs might be word, excel, and other things, so passwords may or may not work.  I thought the latter - a encryption app would work (that was the gist of the thread I posted to above), but concensus was that NTFS was a better way to go.
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 39870512
Admins can normally override NTFS permissions.

Symantec has encryption software, winmagic.com also has encryption software.  Jetico below looks reasonable.

http://www.jetico.com/products/enterprise-data-protection/bestcrypt-container-encryption?gclid=CP-uiODD2LwCFaxxOgodcRYArA
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 14

Expert Comment

by:comfortjeanius
ID: 39870630
You can use Secret Disk
0
 
LVL 15

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 200 total points
ID: 39870722
NTFS permissions are insufficient if you're not using encryption.  Permissions are enforced by the Local Security Authority Subsystem Service (LSASS), which is easily bypassed.  You'll need to combine NTFS permissions with encryption.  Anyone with physical access to the machine can access the file, without the need to authenticate.  At the very least consider EFS and BitLocker.

My recommendation would be to use TrueCrypt, preferably stored on an IronKey in portable mode, using AES-Twofish-Serpent cascading ciphers.

Best practice would be to use Secure Boot, leveraging Unified Extensible Firmware Interface (UEFI), encrypting the entire drive, using an enhanced BIOS password security chip, and configuring your OS drive as the exclusive boot device.

Various authentication/permission bypass tools.

RawCopy
http://reboot.pro/files/file/318-rawcopy/

ntfscopy
https://tzworks.net/prototype_page.php?proto_id=9

Kon-Boot
http://thelead82.com/products-win.html
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39875022
It seems you did not believe my comments on your last thread. Let me repeat: If I was admin on your machine and wanted to spy on your super-duper secured and encrypted folder, I would install a key logger that intercepts both your logon- and crypto password. And I'm in. This keylogger can be hidden from view, also.
0
 
LVL 15

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 200 total points
ID: 39875110
The vulnerability McKnife identifies correlates to the strength of the authentication method (or lack thereof.)  In reality, anyone with physical access to the machine could install a hardware keylogger-- no malware to detect and no privileges (admin or otherwise) required.

If the data is valuable and truly needs to remain confidential, then the strength of the authentication should be increased to mitigate against well known vulnerabilities (such as keyloggers) and other defense in depth strategies, such as isolation (air gapped machines, etc.), strong physical controls, etc.  

At the end of the day its about balancing risk.

Strength of Authentication Method
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39875127
There's not only keyloggers but also screen recording possible. No way to stop an admin.
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 39875143
Yes, as noted above Admins can override NTFS security.
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39875152
@McKnife, how would key and screen logging compromise a token device or biometric reader?  Granted, you could await until legitimate authentication occurs to exfiltrate decrypted data, but that's an entirely different approach than mere logging of screen and keyboard data.  As with asymmetric ciphers, you'd still need to compromise the private key (if possible (e.g. HSM)), which isn't necessarily displayed on the screen nor logged by the keyboard.  I suppose my point is mere compromise of HIDs is insufficient with stronger authentication methods.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39875238
Screen recording would enable me to see all that you see, no matter what protection you use for your data. But let's not dig in too deep, maybe the author should come back, first.
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39875820
yeah guys, thanks! but we aren't guarding nuclear launch codes.  And there's those clichés that if someone can get physical access to your machine, it's not your machine anymore.

This is for a manager at a small restaurant with 1 computer in the office that asst managers and others have access to.

Yeah, if someone wanted to get the info, this situation leaves them vulnerable.  At least for me, it's tough trying to explain the degrees of risk to a non-techie.  I get what  you are saying - I am just trying to find a balance of security and ease of use.  2 extremes I guess.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39876111
No, perfectly with you.
I was just wondering because it seemed you were asking a follow up question.
Having the folder encrypted raises the effort to using a keylogger - if that is difficult enough to stop people, then why not.
0
 
LVL 14

Assisted Solution

by:comfortjeanius
comfortjeanius earned 100 total points
ID: 39877473
You can user Secret Disk
Secret Disk can create additional disk on your PC, which can be invisible and locked with a password within one second. You can make your private files and folders invisible and protected.

You don't need to format your hard disk or make any changes to boot sector. Our program will create new disk automatically very quickly. You can make this disk invisible, including all contents, and protect it with a password. You can store any files and folders on the disk. Secret disk works as usual hard disk and compatible with any other programs which you have installed. You can have more than one secret disk and you can also choose disk letter.

In case of power outage or fatal error of OS Windows your secret disk will be locked and become invisible automatically. It happens automatically because information are stored in the virtual memory. Secret Disk does not encrypt any files, it just limits access to your files (you can use password). Software ties virtual disk to your files. This will provide you enough security to hide your files from any person.

They have a free version and Pro version....
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 100 total points
ID: 39891621
Glad I saw this follow-up to our previous discussion about this issue.

I think your best course of action is to make USER B a STANDARD USER.

You only have ONE user (the manager) on that machine who needs to protect their files, right?  Keep that user as a local admin, and if there are updates which need to be applied, they can be done by the manager without bugging you.  

Problem solved.

Jeff
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question