Home page logo
/

basics logo Security Basics mailing list archives

RE: setting access restrictions on external drive
From: "Simon and Sara Zuckerbraun" <szucker () rcn com>
Date: Mon, 29 Dec 2003 21:06:35 -0600

The link you refer to:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:
80/support/kb/articles/q307/2/86.asp&NoWebContent=1)

is speaking about the "Make this folder private" checkbox.

As far as I'm aware, the "Make this folder private" checkbox has no effect
upon whether or not files are stored in encrypted format. The "Make this
folder private" checkbox only affects the permissions (DACL) applied to the
folder and its contents. When checked, admins are excluded from the DACL so
they can't access your files. (I'm not sure I understand exactly why this is
useful. After all, a local admin could always just take ownership of the
files and modify their DACLs in whatever way he likes. Only thing I can say
is, if an admin did this, it would leave an audit trail. Does anyone know if
excluding admins from the DACL has any usefulness besides the audit trail?)

Check out KB article 304040 for more details:
http://support.microsoft.com/default.aspx?scid=kb;en-us;304040

The whole "Simple File Sharing" UI in XP is just a simplified way to perform
a few common tasks with DACLs. The "My Documents" restriction is only a
restriction on the "Simple File Sharing" interface. If you turn off simple
file sharing and use the full-strength Sharing and Security tab, the My
Documents folder will no longer be the only place you can manually apply
permissions.

But once again, all this has nothing to do with encryption.

Simon
szucker () rcn com

-----Original Message-----
From: J. Yoon [mailto:supercool9000 () hotmail com] 
Sent: Friday, December 26, 2003 11:33 AM
To: jamesworld () intelligencia com
Cc: security-basics () securityfocus com
Subject: Re: setting access restrictions on external drive

I have Microsoft Windows XP Home Edition and this is what the article says..

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:
80/support/kb/articles/q307/2/86.asp&NoWebContent=1


From: jamesworld () intelligencia com
To: "J. Yoon" <supercool9000 () hotmail com>
CC: jamesworld () intelligencia com, security-basics () securityfocus com
Subject: Re: setting access restrictions on external drive
Date: Tue, 23 Dec 2003 08:41:46 -0600

J,

That is absolutely not true.  If you can, please post the URL to the MS 
page.  If that was so.... I don't even want to go down that thread.  Try 
creating a folder on C: call it anything.  create a folder or 2 under it.

Try setting security permission on it.  They will work,  out side of  the 
Documents & Settings folder.

I just did this on a removable drive and it worked.

I logged in as a non administrator (basic user) and my security tab was 
grayed out.



At 21:08 12/22/2003, J. Yoon wrote:
Hi,
thanks for your advice but unfortunately if it was that simple I would not

have posted here...
The drive is already formated NTFS (not fat32) and I've tried setting the 
security tab to restrict others from access but it's completely grayed 
out.

When I searched the Microsoft website about this problem, it says that 
only folders and files in Documents/Settings dir can have access 
restrictions...
Still I'm wondering if there's a way...


From: jamesworld () intelligencia com
To: "J. Yoon" <supercool9000 () hotmail com>
CC: security-basics () securityfocus com
Subject: Re: setting access restrictions on external drive
Date: Mon, 22 Dec 2003 20:07:01 -0600
    Tue, 23 Dec 2003 02:07:50 +0000
In-Reply-To: <LAW12-F28hA4iJ3hYpa0005c518 () hotmail com>
Return-Path: jamesworld () intelligencia com
X-OriginalArrivalTime: 23 Dec 2003 02:07:52.0187 (UTC) 
FILETIME=[923514B0:01C3C8F9]

Format the drive using NTFS  (it's prolly FAT32 be default)

Then with NTFS, you can set ACL's via the security tab.

Give your self access and everyone else DENY access.  This plus your 
encryption should do the trick.

You must of course have physical security of the device.  Someone could 
pick the unit up,  and plug it into their laptop,  take administrative 
ownership of everything and still be able to delete your stuff.  Maybe 
even decrypt it if they can get the recovery key from your system or 
break the crypto......or of corse thing the things is broken and format 
it to do you a 'favor' :-)

At 15:13 12/22/2003, J. Yoon wrote:
I have an external USB drive using Windows XP file system,
I have turned on encryption so that other users can't access the files
but they can still view and browse the folders
or even "delete" the encrypted files it if they wanted to.

I've read on microsoft website that you can only
restrict files/folders if you put them inside your Documents & Settings 
folder,
but since this is an external drive it's not possible.

How then, do I set this so that other users can't see or access anything

inside folders that i restrict?
I would like to know if this is possible without using 3rd party 
software...


---------------------------------------------------------------------------
---------------------------------------------------------------------------
-


_________________________________________________________________
Have fun customizing MSN Messenger - learn how here!  
http://www.msnmessenger-download.com/tracking/reach_customize


---------------------------------------------------------------------------
----------------------------------------------------------------------------




---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]