Security Basics mailing list archives
RE: setting access restrictions on external drive
From: "Simon and Sara Zuckerbraun" <szucker () rcn com>
Date: Mon, 29 Dec 2003 21:06:35 -0600
The link you refer to: http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com: 80/support/kb/articles/q307/2/86.asp&NoWebContent=1) is speaking about the "Make this folder private" checkbox. As far as I'm aware, the "Make this folder private" checkbox has no effect upon whether or not files are stored in encrypted format. The "Make this folder private" checkbox only affects the permissions (DACL) applied to the folder and its contents. When checked, admins are excluded from the DACL so they can't access your files. (I'm not sure I understand exactly why this is useful. After all, a local admin could always just take ownership of the files and modify their DACLs in whatever way he likes. Only thing I can say is, if an admin did this, it would leave an audit trail. Does anyone know if excluding admins from the DACL has any usefulness besides the audit trail?) Check out KB article 304040 for more details: http://support.microsoft.com/default.aspx?scid=kb;en-us;304040 The whole "Simple File Sharing" UI in XP is just a simplified way to perform a few common tasks with DACLs. The "My Documents" restriction is only a restriction on the "Simple File Sharing" interface. If you turn off simple file sharing and use the full-strength Sharing and Security tab, the My Documents folder will no longer be the only place you can manually apply permissions. But once again, all this has nothing to do with encryption. Simon szucker () rcn com -----Original Message----- From: J. Yoon [mailto:supercool9000 () hotmail com] Sent: Friday, December 26, 2003 11:33 AM To: jamesworld () intelligencia com Cc: security-basics () securityfocus com Subject: Re: setting access restrictions on external drive I have Microsoft Windows XP Home Edition and this is what the article says.. http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com: 80/support/kb/articles/q307/2/86.asp&NoWebContent=1
From: jamesworld () intelligencia com To: "J. Yoon" <supercool9000 () hotmail com> CC: jamesworld () intelligencia com, security-basics () securityfocus com Subject: Re: setting access restrictions on external drive Date: Tue, 23 Dec 2003 08:41:46 -0600 J, That is absolutely not true. If you can, please post the URL to the MS page. If that was so.... I don't even want to go down that thread. Try creating a folder on C: call it anything. create a folder or 2 under it.
Try setting security permission on it. They will work, out side of the Documents & Settings folder. I just did this on a removable drive and it worked. I logged in as a non administrator (basic user) and my security tab was grayed out. At 21:08 12/22/2003, J. Yoon wrote:Hi, thanks for your advice but unfortunately if it was that simple I would not
have posted here... The drive is already formated NTFS (not fat32) and I've tried setting the security tab to restrict others from access but it's completely grayed out. When I searched the Microsoft website about this problem, it says that only folders and files in Documents/Settings dir can have access restrictions... Still I'm wondering if there's a way...From: jamesworld () intelligencia com To: "J. Yoon" <supercool9000 () hotmail com> CC: security-basics () securityfocus com Subject: Re: setting access restrictions on external drive Date: Mon, 22 Dec 2003 20:07:01 -0600 Tue, 23 Dec 2003 02:07:50 +0000 In-Reply-To: <LAW12-F28hA4iJ3hYpa0005c518 () hotmail com> Return-Path: jamesworld () intelligencia com X-OriginalArrivalTime: 23 Dec 2003 02:07:52.0187 (UTC) FILETIME=[923514B0:01C3C8F9] Format the drive using NTFS (it's prolly FAT32 be default) Then with NTFS, you can set ACL's via the security tab. Give your self access and everyone else DENY access. This plus your encryption should do the trick. You must of course have physical security of the device. Someone could pick the unit up, and plug it into their laptop, take administrative ownership of everything and still be able to delete your stuff. Maybe even decrypt it if they can get the recovery key from your system or break the crypto......or of corse thing the things is broken and format it to do you a 'favor' :-) At 15:13 12/22/2003, J. Yoon wrote:I have an external USB drive using Windows XP file system, I have turned on encryption so that other users can't access the files but they can still view and browse the folders or even "delete" the encrypted files it if they wanted to. I've read on microsoft website that you can only restrict files/folders if you put them inside your Documents & Settings folder, but since this is an external drive it's not possible. How then, do I set this so that other users can't see or access anything
inside folders that i restrict? I would like to know if this is possible without using 3rd party software...--------------------------------------------------------------------------- ---------------------------------------------------------------------------
-
_________________________________________________________________ Have fun customizing MSN Messenger - learn how here! http://www.msnmessenger-download.com/tracking/reach_customize --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- setting access restrictions on external drive J. Yoon (Dec 22)
- Re: setting access restrictions on external drive jamesworld (Dec 23)
- <Possible follow-ups>
- Re: setting access restrictions on external drive J. Yoon (Dec 23)
- Re: setting access restrictions on external drive jamesworld (Dec 23)
- RE: setting access restrictions on external drive Mike (Dec 23)
- RE: setting access restrictions on external drive aldr1c (Dec 29)
- RE: setting access restrictions on external drive David (Dec 29)
- Re: setting access restrictions on external drive J. Yoon (Dec 29)
- RE: setting access restrictions on external drive Simon and Sara Zuckerbraun (Dec 30)
- Re: setting access restrictions on external drive jamesworld (Dec 30)