michaaal wrote:
> Awesome. Do you know a good MS article on setting this up?
> Thanks!
>
> "*Vanguard*" <no-(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> michaaal wrote:
>>> In the past I have found that you can take any Windows 2000 Pro hard
>>> drive and set it up as a slave on another Windows 2000 Pro hard
>>> drive and you can read it. And if there is a permissions problem
>>> you can just "take ownership" and the problem is solved.
>>>
>>> Is there any way to make it so that my hard drive is not readable
>>> when put into another computer as a slave?
>>
>> Use EFS.
>>
>> The permissions for SIDs are controlled only by the instance of the
>> OS that created them. When you move the drive to another machine,
>> it is highly unlikely the same SIDs are created, and the SAM will be
>> different. Since the other instance of the OS has no info regarding
>> permissions on SIDs it didn't create, no [restrictive] permissions
>> get enforced. The only account that probably retains permissions is
>> Administrator since, I believe, Windows uses the same SID on every
>> install for the Administrator account. So permissions for
>> Administrator on one hard drive in one instance of Windows when the
>> drive gets moved to a different instance of Windows will still get
>> those Administrator permissions enforced. But, as you've mentioned,
>> you can still take permission by any account in the Administrators
>> group (and the Administrator on the second instance of Windows would
>> have the same permissions on the files as the Administrator on the
>> drive from the first instance of Windows). This is a big loophole
>> in Windows file-based security, but I'm not sure it's just a Windows
>> defect. How would any instance of an OS know how to enforce
>> permissions on a drive for files on which permissions were
>> established for accounts in a different instance of the OS? Those
>> accounts are not known to the second instance of the OS. I suppose
>> one behavior would be to disallow all access to any files in which
>> permissions were defined for accounts that were unknown (i.e., not
>> defined in that instance of the OS).
>>
>> If you use EFS (encrypting file system) to secure files and/or
>> directories, they won't be readable on the second instance of the OS
>> to which the drive gets moved. That's because the second instance
>> of the OS won't have the security certificate. So it behooves you
>> to export your certificates to floppy or CD media and lock it up.
>> Then when you have to move the drive, or after a fresh reinstall of
>> Windows, you'll have the security certificate to import to gain read
>> access to the EFS-protected files. Users on the other instance of
>> Windows won't be able to read the EFS-protected files. However, the
>> Administrator might still be able to read those files. EFS won't
>> eliminate the Administrator from taking ownership, but if you set
>> permissions in EFS to remove the Administrator account or group
>> (i.e., only *your* account is list) then they won't be able to see
>> into the file. So you can use EFS to even hide the contents of
>> files from administrators, but you won't stop them from changing
>> ownership or permissions (so even if they cannot see into the file,
>> they can still steal it away from you and prevent you from getting
>> to it). Be sure to export the security certificate(s) so you can
>> recover from a fresh reinstall or when migrating to another instance
>> of the OS.
>>
>>
>> --
>> ____________________________________________________________
>> *** Post replies to newsgroup. E-mail is not accepted. ***
>> ____________________________________________________________
http://support.microsoft.com/
Advanced Search.
Pick Windows 2000 as the product.
There should be plenty of matches on "EFS" or "Encrypted File System"
(exact phrase).
--
____________________________________________________________
*** Post replies to newsgroup. E-mail is not accepted. ***
____________________________________________________________
Similar Threads
