RE: setting access restrictions on external drive

["Simon and Sara Zuckerbraun" <szucker () rcn com>]

The link you refer to:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:
80/support/kb/articles/q307/2/86.asp&NoWebContent=1)

is speaking about the "Make this folder private" checkbox.

As far as I'm aware, the "Make this folder private" checkbox has no effect
upon whether or not files are stored in encrypted format. The "Make this
folder private" checkbox only affects the permissions (DACL) applied to the
folder and its contents. When checked, admins are excluded from the DACL so
they can't access your files. (I'm not sure I understand exactly why this is
useful. After all, a local admin could always just take ownership of the
files and modify their DACLs in whatever way he likes. Only thing I can say
is, if an admin did this, it would leave an audit trail. Does anyone know if
excluding admins from the DACL has any usefulness besides the audit trail?)

Check out KB article 304040 for more details:
http://support.microsoft.com/default.aspx?scid=kb;en-us;304040

The whole "Simple File Sharing" UI in XP is just a simplified way to perform
a few common tasks with DACLs. The "My Documents" restriction is only a
restriction on the "Simple File Sharing" interface. If you turn off simple
file sharing and use the full-strength Sharing and Security tab, the My
Documents folder will no longer be the only place you can manually apply
permissions.

But once again, all this has nothing to do with encryption.

Simon
szucker () rcn com

-----Original Message-----
From: J. Yoon [mailto:supercool9000 () hotmail com] 
Sent: Friday, December 26, 2003 11:33 AM
To: jamesworld () intelligencia com
Cc: security-basics () securityfocus com
Subject: Re: setting access restrictions on external drive

I have Microsoft Windows XP Home Edition and this is what the article says..

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:
80/support/kb/articles/q307/2/86.asp&NoWebContent=1


> From: jamesworld () intelligencia com
> To: "J. Yoon" <supercool9000 () hotmail com>
> CC: jamesworld () intelligencia com, security-basics () securityfocus com
> Subject: Re: setting access restrictions on external drive
> Date: Tue, 23 Dec 2003 08:41:46 -0600
>
> J,
>
> That is absolutely not true.  If you can, please post the URL to the MS 
> page.  If that was so.... I don't even want to go down that thread.  Try 
> creating a folder on C: call it anything.  create a folder or 2 under it.

> Try setting security permission on it.  They will work,  out side of  the 
> Documents & Settings folder.
>
> I just did this on a removable drive and it worked.
>
> I logged in as a non administrator (basic user) and my security tab was 
> grayed out.
>
>
>
> At 21:08 12/22/2003, J. Yoon wrote:
> > Hi,
> > thanks for your advice but unfortunately if it was that simple I would not

> > have posted here...
> > The drive is already formated NTFS (not fat32) and I've tried setting the 
> > security tab to restrict others from access but it's completely grayed 
> > out.
> >
> > When I searched the Microsoft website about this problem, it says that 
> > only folders and files in Documents/Settings dir can have access 
> > restrictions...
> > Still I'm wondering if there's a way...
> >
> >
> > > From: jamesworld () intelligencia com
> > > To: "J. Yoon" <supercool9000 () hotmail com>
> > > CC: security-basics () securityfocus com
> > > Subject: Re: setting access restrictions on external drive
> > > Date: Mon, 22 Dec 2003 20:07:01 -0600
> > >     Tue, 23 Dec 2003 02:07:50 +0000
> > > In-Reply-To: <LAW12-F28hA4iJ3hYpa0005c518 () hotmail com>
> > > Return-Path: jamesworld () intelligencia com
> > > X-OriginalArrivalTime: 23 Dec 2003 02:07:52.0187 (UTC) 
> > > FILETIME=[923514B0:01C3C8F9]
> > >
> > > Format the drive using NTFS  (it's prolly FAT32 be default)
> > >
> > > Then with NTFS, you can set ACL's via the security tab.
> > >
> > > Give your self access and everyone else DENY access.  This plus your 
> > > encryption should do the trick.
> > >
> > > You must of course have physical security of the device.  Someone could 
> > > pick the unit up,  and plug it into their laptop,  take administrative 
> > > ownership of everything and still be able to delete your stuff.  Maybe 
> > > even decrypt it if they can get the recovery key from your system or 
> > > break the crypto......or of corse thing the things is broken and format 
> > > it to do you a 'favor' :-)
> > >
> > > At 15:13 12/22/2003, J. Yoon wrote:
> > > > I have an external USB drive using Windows XP file system,
> > > > I have turned on encryption so that other users can't access the files
> > > > but they can still view and browse the folders
> > > > or even "delete" the encrypted files it if they wanted to.
> > > >
> > > > I've read on microsoft website that you can only
> > > > restrict files/folders if you put them inside your Documents & Settings 
> > > > folder,
> > > > but since this is an external drive it's not possible.
> > > >
> > > > How then, do I set this so that other users can't see or access anything

> > > > inside folders that i restrict?
> > > > I would like to know if this is possible without using 3rd party 
> > > > software...
>
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
-
>

_________________________________________________________________
Have fun customizing MSN Messenger - learn how here!  
http://www.msnmessenger-download.com/tracking/reach_customize


---------------------------------------------------------------------------
----------------------------------------------------------------------------




---------------------------------------------------------------------------
----------------------------------------------------------------------------