Controlling user access to external drive

[JoeSpareBedroom]

My computer has 4 accounts: admin, 2 limited users (one of which is ME) and
a guest account. XP Pro, SP3. Seagate external drive is formatted as NTFS. I
need to cut off access to that drive for one of the limited users, but
maintain it for the admin (me) and my own limited user account. Does the
advice at the link below look accurate? Any "gotchas" to look out for? I
need to access this drive daily - no room for unexpected surprises from
Windows.

http://www.windowsnetworking.com/articles_tutorials/wxppfsec.html

 

[Iceman]

My computer has 4 accounts: admin, 2 limited users (one of which is ME) and
a guest account. XP Pro, SP3. Seagate external drive is formatted as NTFS. I
need to cut off access to that drive for one of the limited users, but
maintain it for the admin (me) and my own limited user account. Does the
advice at the link below look accurate? Any "gotchas" to look out for? I
need to access this drive daily - no room for unexpected surprises from
Windows.

http://www.windowsnetworking.com/articles_tutorials/wxppfsec.html

Well, it seems rather complicated to me, at least. You could also have a
look at an encryption program like TrueCrypt (free).

http://www.truecrypt.org/

 

[Tim Meddick]

One very big "gotcha" is that, being an external USB (removable) drive, if
you restrict access using the method outlined in your link, you will not be
able to access the drive if you unplug it and try using it on another
computer.

This would include retrieving data if access via the "Administrators" group
had been deleted.

You would be able to use this method if you bear a couple of things in
mind...

Restrict access *only* by omitting (un-checking) permissions for every
existing user that you don't want to give access to - NOT by granting
permissions to only the accounts you want to grant access.

If, however, you know for fact that the drive will always and only be used
on the one machine, there is no obvious disadvantages.

==

Cheers, Tim Meddick, Peckham, London.

 

[John John MVP]

One very big "gotcha" is that, being an external USB (removable) drive,
if you restrict access using the method outlined in your link, you will
not be able to access the drive if you unplug it and try using it on
another computer.

Of course you will providing that you are a member of the Administrators
group. As an administrator you have rule over the whole computer and
all attached devices and as such you can simply grant yourself
permission to the attached drive.

John

 

[JoeSpareBedroom]

One very big "gotcha" is that, being an external USB (removable) drive, if
you restrict access using the method outlined in your link, you will not
be able to access the drive if you unplug it and try using it on another
computer.

This would include retrieving data if access via the "Administrators"
group had been deleted.

You would be able to use this method if you bear a couple of things in
mind...

Restrict access *only* by omitting (un-checking) permissions for every
existing user that you don't want to give access to - NOT by granting
permissions to only the accounts you want to grant access.

If, however, you know for fact that the drive will always and only be used
on the one machine, there is no obvious disadvantages.

==

Cheers, Tim Meddick, Peckham, London.

Tim, you've touched on an interesting point - not being able to take the
external drive to another computer. It's rare that I'd want to do that, but
it might happen occasionally. So, what's the solution? Some sort of
encryption? I've been avoiding that because I believe (perhaps incorrectly)
that it would affect performance.

 

[JoeSpareBedroom]

Of course you will providing that you are a member of the Administrators
group. As an administrator you have rule over the whole computer and all
attached devices and as such you can simply grant yourself permission to
the attached drive.

John

So, "administrator" is generic enough from one computer to another, so
access will NOT be restricted? Sorry if I'm asking you to repeat yourself
using different words....but that's why I'm here asking the question.

 

[JoeSpareBedroom]

Well, it seems rather complicated to me, at least. You could also have a
look at an encryption program like TrueCrypt (free).

http://www.truecrypt.org/

Interesting option, but initially, I'd prefer to explore the use of features
native to the OS.

 

[John John MVP]

So, "administrator" is generic enough from one computer to another, so
access will NOT be restricted? Sorry if I'm asking you to repeat yourself
using different words....but that's why I'm here asking the question.

Yes, if you are an administrator you will be able to seize ownership of
the whole drive and grant yourself any an all permissions on all the
objects (files and folders) on the drive regardless of which computer
the drive is plugged in.

John

 

[John John MVP]

So, "administrator" is generic enough from one computer to another, so
access will NOT be restricted?

The built-in Administrators group has the same SID/RID across all
Windows versions and has a predefined set of permissions, unless you
deliberately changed the permissions all administrators start with the
same set of permissions. Keep in mind that the starting set of
permissions can be different on different Windows versions as some of
the permissions are sometimes readjusted for security reasons but these
minor differences would not affect the ability to gain control on file
system objects.

What it comes down to is that as an administrator you have rule over the
whole computer on which you are logged on to... and that includes pretty
well all attached devices including external drives. The only exclusion
that I can think of are dongles or specialized hardware with
restrictions hardcoded in the firmware, but that is a topic for another
post altogether...

Well-known security identifiers in Windows operating systems
http://support.microsoft.com/kb/243330


John

 

[Tim Meddick]

*NB ONLY If Access has been granted to the "Administrators" group (default)
but if removed, you will not be able to gain access if just the specific
account: "Administrator" remains - as this account is specific to each
individual system (i.e. each "Administrator" account is assigned a unique
UID number).

So one must ensure a NTFS-formatted removable drive has their
"Administrators" group given "Full Access" permissions at root-level and
applied to all sub-containers and objects.

==

Cheers, Tim Meddick, Peckham, London.

 

[John John MVP]

*NB ONLY If Access has been granted to the "Administrators" group
(default) but if removed, you will not be able to gain access if just
the specific account: "Administrator" remains - as this account is
specific to each individual system (i.e. each "Administrator" account is
assigned a unique UID number).

So one must ensure a NTFS-formatted removable drive has their
"Administrators" group given "Full Access" permissions at root-level and
applied to all sub-containers and objects.

Obviously you've not tried this.

An administrator can seize ownership of any or all the object on a disk
and then as the owner he can grant himself full control on any or all
the objects on the disk. This applies even when the Administrators
groups or all the other users or user groups have been removed from the
security permissions, it even applies if you specifically deny all
permissions to the Administrators group. There is just no way that you
can keep an administrator off an NTFS volume using NTFS permissions, by
taking ownership of the volume and its objects an administrator can
grant himself full control on the whole disk, and that applies even if
you remove or specifically deny permissions to the Administrators group.
The only way to keep an administrator off an NTFS volume is to use
NTFS encryption or other third party encryption or password protection
tools.

Just try it and see for yourself!

John

 

[Tim Meddick]

What you are suggesting will only work if you're playing on a single
machine!

Because each and every "Administrator" account is assigned it's own UID
number (just like any Administrator-level account) if you have removed the
default Full-Control for the "Administrators" GROUP from the drive (and all
sub containers and objects), you will not be able to regain access!

This is because the system recognises the "Administrator" account on the
same machine it was set up on ("Administrator" account is set up by
default) but if an NTFS-formatted drive is ported to another (NT) machine,
that same administrator account will show up only named using it's UID !!
(like e.g.; S-1-5-21-1957994455-1005336348-682003330-500)

So, I repeat, if you totally remove the "Administrators" GROUP from the
Full-Control granted permissions for the removable drive, even if you have
an Administrator-level account on a different system, you will NOT be able
to take ownership of the object as this action would require
"Administrators" GROUP permissions being granted ON THAT DRIVE.

Think about it! If what you were saying were true, all you would have to
have is an Administrator-level account and you would be able to access any
files of anybody's on any computer you were connected to, simply by taking
ownership of files and folders!!?!

(The only other way round it is to grant the "Everybody" group Full-Control
to all objects on the removable drive - but then you have NO security left
for that drive.)

==

Cheers, Tim Meddick, Peckham, London.

 

[Tim Meddick]

I have to apologise, in part for my former assertion that such a removable
drive would be inaccessible. You were, of course, right when you said that
you could take ownership.

However, with an entire removable drive, this is not as easy as you might
think...

For a start, if the "Administrators" GROUP had been deleted, as I
suggested, and the only account left with granted permissions was the
"Administrator" account on that drive, the drive would fail to show up in
explorer in the first place, having no valid access to it. All attempts to
actually "see" the drive, in order to change (add) permissions or take
ownership with Explorer.exe or Winfile.exe fail. In the end, I was only
able to re-establish access by editing the permissions using the
command-line application; "cacls.exe".

So, for all intents and purposes, what I was suggesting is effectively what
happens when you remove the "Administrators" GROUP from a removable
NTFS-formatted drive, if, indeed, it is not, I now admit, strictly true.

==

Cheers, Tim Meddick, Peckham, London.

 

[John John MVP]

Think about it! If what you were saying were true, all you would have to
have is an Administrator-level account and you would be able to access
any files of anybody's on any computer you were connected to, simply by
taking ownership of files and folders!!?!

YES!!!!@!@ THAT IS *EXACTLY* WHAT I AM SAYING!

You think about it for two minutes and then think how many files would
be lost if what you say were true it would be very well documented, the
help groups and internet would be FULL of posts and articles about this
and people asking for a workaround to the problem!

Any administrator can take ownership of any object on an NTFS volume and
then grant himself full control on the object even if the Administrators
group has been removed from the security permissions or even if the
group has been specifically denied all permissions on the object. An
Administrator has rule over the whole computer and he can grant himself
any permissions that he wants or undo any restrictions that any other
administrator might have put in place. As far as NTFS permissions are
concerned whatever was done on another computer is of no consequence to
the Windows installation on which the disk is mounted, the permissions
put in place by another installation will be 'dimmed' when examined with
a different installation, these are orphaned and the Windows
installation reading them will simply ignore these orphaned security
principals.

John

 

[John John MVP]

I have to apologise, in part for my former assertion that such a
removable drive would be inaccessible. You were, of course, right when
you said that you could take ownership.

However, with an entire removable drive, this is not as easy as you
might think...

For a start, if the "Administrators" GROUP had been deleted, as I
suggested, and the only account left with granted permissions was the
"Administrator" account on that drive, the drive would fail to show up
in explorer in the first place, having no valid access to it. All
attempts to actually "see" the drive, in order to change (add)
permissions or take ownership with Explorer.exe or Winfile.exe fail. In
the end, I was only able to re-establish access by editing the
permissions using the command-line application; "cacls.exe".

So, for all intents and purposes, what I was suggesting is effectively
what happens when you remove the "Administrators" GROUP from a removable
NTFS-formatted drive, if, indeed, it is not, I now admit, strictly true.

I have here 4 Computers:

1 Windows 2000
2 Windows XP
1 Windows 7

I can (and have) removed the Administrator group from the permissions on
a removable drive using different machines and it does not matter on
which machine the permissions were removed or on which machine the drive
was then plugged in, I was simply able to access the Security settings
via the Windows Explorer GUI and take ownership of all the objects on
the disk and then grant myself full control on all the objects, no need
to use CACLS for this. Whatever it is that you are doing you are doing
it wrong... I suggest that you try using the Advanced security settings
and use inheritance to propagate the permissions and select to Replace
the permissions on all the objects.

John

 

[Tim Meddick]

On my XP machine - when I remove all but the "Administrator" account in
advanced security page, and "apply to all child objects", from the root of
the removable drive - the removable drive disappears from Explorer and
cannot be re-accessed (access denied).

Obviously I'd be able to "see" it under the "Administrator" account, but
we're supposing that we have plugged the drive into another computer - so
we wouldn't have that same "Administrator" account but one with a different
UID.

Anyway, wee seem to be nit-picking at each other here - the point being,
either way, that rather than have to [attempt] to re-set security
permissions every time you wanted to access a removable NTFS-formatted
drive on a different computer, it *would* be simpler, would it not, to just
make sure you included (or did not remove, should I say, being present by
default) the "Administrators" GROUP (granting Full-Control to any
administrator-level account)?

==

Cheers, Tim Meddick, Peckham, London.