mike2401
asked on
NTFS or ExFat: Security vs. simplicity? What would you do?
I'm about to format a WD Duo 4TB for use by two different windows laptops at home (mine and my spouse's) (1 partition, my_data & spouse_data folders)
The two laptops will NOT be part of the same workgroup and there's no domain at home because I don't want my spouse (bad user) to inadvertently get infected and compromise my laptop or our shared WD backup HD.
My plan is that the drive will only be connected to each laptop when its internal SSD fills up and projects need to be off-loaded to the WD box.
I suppose one advantage of NTFS is that I could restrict access to my folder using NTFS permissions.
A concern I have (perhaps unfounded) is that I have been able to "take ownership" of an external drive.
If I could do it, could malware?
If my windows config ever got messed up, would I lose my security identifier? (I guess that's not a big deal, I could just take ownership, delete the old identifier and apply the new permissions to all sub folders). There won't be any fancy security, just permission for each user to the appropriate data folder).
If I just go with ExFat, will I make my life simpler at the expense of security?
Any tips or thoughts before I format the drive and copy over the data?
Thanks,
Mike
PS: As I finished typing this question, I think I just talked myself into NTFS but wanted your input.
The two laptops will NOT be part of the same workgroup and there's no domain at home because I don't want my spouse (bad user) to inadvertently get infected and compromise my laptop or our shared WD backup HD.
My plan is that the drive will only be connected to each laptop when its internal SSD fills up and projects need to be off-loaded to the WD box.
I suppose one advantage of NTFS is that I could restrict access to my folder using NTFS permissions.
A concern I have (perhaps unfounded) is that I have been able to "take ownership" of an external drive.
If I could do it, could malware?
If my windows config ever got messed up, would I lose my security identifier? (I guess that's not a big deal, I could just take ownership, delete the old identifier and apply the new permissions to all sub folders). There won't be any fancy security, just permission for each user to the appropriate data folder).
If I just go with ExFat, will I make my life simpler at the expense of security?
Any tips or thoughts before I format the drive and copy over the data?
Thanks,
Mike
PS: As I finished typing this question, I think I just talked myself into NTFS but wanted your input.
The other option to limit/minimize is have your spouse use two logins one is a limited/standard user which will not be able to take ownership of anything where administrative rights are needed.
The second will be an administrative account. To avoid the spouse being warned down by repeated prompts , in UAC disable the notifications period. This way only when there is an intent to install anything, the administrative credentials with a password will need to be used.
Administrative user can take ownership of any device attached to the system.
Make sure you do not setup the WD DUO in a RAID 0 setup as it will result in all data loss should one of the drives fail.
WD as does Seagate have their own NAS/Cloud type devices where the External HD attached to your network can be accessed from anywhere with appropriate credentials.
https://www.seagate.com/consumer/backup/personal-cloud/
https://www.wdc.com/products/personal-cloud-storage.html
The second will be an administrative account. To avoid the spouse being warned down by repeated prompts , in UAC disable the notifications period. This way only when there is an intent to install anything, the administrative credentials with a password will need to be used.
Administrative user can take ownership of any device attached to the system.
Make sure you do not setup the WD DUO in a RAID 0 setup as it will result in all data loss should one of the drives fail.
WD as does Seagate have their own NAS/Cloud type devices where the External HD attached to your network can be accessed from anywhere with appropriate credentials.
https://www.seagate.com/consumer/backup/personal-cloud/
https://www.wdc.com/products/personal-cloud-storage.html
ExFAT would just be easier to take ownership, than NTFS. However, any admin user on any computer will be able to take ownership and change permissions. It doesn't matter with permissions. NTFS stores files more efficiently than ExFAT, so that's the reason I would use NTFS, especially if you don't need to share with OS X or Linux frequently.
Disks are cheap. Get 2. Encrypt the disk. Keep one offline and only connect it to backup your data.
I get a new disk every 2-4 years (depending on the warranty) and rotate out one of the older disks but keep it around. The next time I get a new disk, (my 4th) I rotate out the oldest one and destroy it physically, or destroy the data with DoD wipes and donate it, if it's still new enough. I keep the 3rd disk as a safety archive. This is the only way to make sure you don't lose data. You have to migrate the data to new media every few years. Disk drives do wear out, so you must replace them.
Disks are cheap. Get 2. Encrypt the disk. Keep one offline and only connect it to backup your data.
I get a new disk every 2-4 years (depending on the warranty) and rotate out one of the older disks but keep it around. The next time I get a new disk, (my 4th) I rotate out the oldest one and destroy it physically, or destroy the data with DoD wipes and donate it, if it's still new enough. I keep the 3rd disk as a safety archive. This is the only way to make sure you don't lose data. You have to migrate the data to new media every few years. Disk drives do wear out, so you must replace them.
You can set up a Linux based NAS with access permissions and passwords So only certain users can see certain shares. I use a Buffalo NAS and its pretty easy to do. You don't need to worry about and cross access that way and obviously, with Linux, you don't need NTFS or FAT. The Buffalo 20 series is not expensive and can house 2 drives. I don't like or use RAID options. Better to connect a USB Drive every once in a while for 3rd level off-line backup of your NAS data..
Check the manuals at : https://www.buffalotech.com/products/linkstation-200-series
FreeNAS is another great product. You can load it on nearly any hardware and it USES the highly resilient ZFS file system (invented by Sun microsystems)
See: http://www.freenas.org/
Here is a list of a few Linux NAS systems: https://www.maketecheasier.com/nas-solutions-linux/
Check the manuals at : https://www.buffalotech.com/products/linkstation-200-series
FreeNAS is another great product. You can load it on nearly any hardware and it USES the highly resilient ZFS file system (invented by Sun microsystems)
See: http://www.freenas.org/
Here is a list of a few Linux NAS systems: https://www.maketecheasier.com/nas-solutions-linux/
ASKER
This thread has convinced me NOT TO SHARE DRIVES!
My data is only like 600 gigs and I have plenty of spare drives.
I'll always backup my laptop to a separate drive and not use that DUO.
BTW, all great points about not surfing as admin !!
My data is only like 600 gigs and I have plenty of spare drives.
I'll always backup my laptop to a separate drive and not use that DUO.
BTW, all great points about not surfing as admin !!
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Also be careful of software that may inadvertently synchronize data from your machine to the cloud especially if you leave it online (for office 365 etc) to Internet on a long basis snd has backup software that comes with free online store that has default schedule sync and backup time. Oversight of software and plugin on browser is important to avoid unnecessary "leaks" unless it is intended so for it to run.
you could use multiple drives easily with a drive dock like this : https://www.startech.com/be/nl/HDD/Docking/dubbel-sata-hdd-dock~SDOCK2U33
this even permits you to use a drive for documents, another for pictures, music etc...
this even permits you to use a drive for documents, another for pictures, music etc...
ASKER
Thanks everyone!
All great comments !!
-Mike
All great comments !!
-Mike
ASKER
Thanks!
Also everyone should run as a 'standard' users and not as an ADMIN only use Admin Credentials for items that require Admin Cred's i.e. installing software.