John Smith said:
On laptops I want to place user folders inside a PGP encrypted container
in
case the laptop is lost/stolen. That way customer data, reports, e-mail,
etc...won't be compromised. One way is to change where Windows stores
user
information.
1) Is there a way to change the default drive on which the \Documents and
Settings folder resides?
2) Can I change the default drive of a single user's \Document and
Settings
folder?
3) If I change the default drive and user Joe starts his laptop up and the
\joe user folder is within a PGP container and the container isn't opened
at
boot time (ie. Joe forgets to enter his passphrase), will XP hang or what
will XP do?
Microsoft has a knowledge base article which seems to suggest that one can
move the documents and settings folder to a different partition by first
copying it there, then modifying every registry entry that references the
path to instead reflect the new path. THIS DOES NOT WORK. Trust me, I have
spent days trying to fight with such a thing, and it simply won't do it. I
always would end up with it recreating the old paths and files or portions
of them and then nothing would work right without having TWO copies of the
stupid thing scattered about. It was a total nightmare.
The only way I have found to do this is to specify the desired path in a
special installation script file, and run an unattended or automated
installation of the oeprating system. Typically I do this with Windows 2000
and haven't tinkered much with Windows XP on the matter. However, I expect
the instructions would be quite similar. You can (on 2000 at least) create a
setup script or "answer" file on a floppy called "winnt.sif". Sometimes this
is called "unattend.txt" but it won't work on a floppy without the winnt.sif
name. I think it can be called using a command line parameter of the setup
program executable though.
Basically this is a file that answers all of the stupid questions that the
windows setup program asks, so you can let the install run on its own while
you walk away and do something else. (It won't hang up on tons of boxes that
require you to push "next" every few minutes for little purpose other than
to waste your time.) There are a lot of settings you can pass to the setup
program which aren't available in the setup gui. For example, I made one
onetime that tells the setup program to simply not ask for a product ID key
in Windows 2000 setup. You can specify the product ID inside the answer
file, but I instead discovered you can omit this and simply instruct the
program to never ask for it at all. So, you can get a perfectly functioning
windows installation without any product ID, valid or invalid. (Not that I
don't have a valid license, it's just that I am annoyed by having to find it
and enter the stupid number.)
To use the answer file in the most easy manner boot from the install CD with
the winnt.sif answer file on a floppy in the diskette drive. It will rumble
the floppy drive briefly at boot time to check if such a script exists. It
may take quite a bit of tinkering to get this to work properly, because if
it doesn't like part of your script it won't bother to tell you. It'll just
go ahead and install Windows, waste an hour or two of your time, and then
dump you with an installation that ignored your slight error and put the
documents and settings folder at the default C:\ location anyway.
I always run my system with the hard drive split into C:\ and D:\ partitions
(or sometimes seperate drives). I put the documents and settings folder on
the D:\ drive. A word of caution to you though... This partition has to be
formatted and accessible prior to running windows setup. The setup program
will allow you to partition the drive and format it from the blue screen
text mode portion at the beginning of setup. However, it will only allow you
to format the partition that windows is going to be installed to. If the
answer file directs it to put the documents and settings folder in a
different partition, it will simply expect that partition to be working
before it starts. It'll probably go through the motions and think that it is
creating a documents and settings folder, only for windows to crash upon its
initial boot time for failure to read any of those files that never got
copied correctly from a drive not being formatted.
You bring up an interesting question -- I highly doubt that the PGP
encription of the disk volume would work with the documents and settings
folder. If so, you would either need to have the encryption software loaded
into memory prior to running windows setup, or install windows in an
unencrypted form and later encrypt the disk afterwards. You would have to
encrypt it while windows is not running, and have software to enable access
to those files prior to the windows GUI booting up. I have no idea if you
could get that to work or not.
Another problem you have to look out for is that basically in order for
windows to function it needs to have open access to these files constantly
at any time the machine is running. So you're encrypting these files and
decrypting them anytime they attempt to be used for any purpose--good or
bad. If the machine gets infected with spyware, a hijacker, or virus, it'll
have access to those files as easily as windows does. I think the only thing
you would be protecting it from is access to the files while the machine is
not booted up--when windows isn't running. If you rig it so that you have to
enter the pass phrase prior to booting the operating system somehow, then I
suppose this would provide good security to protect against the laptop
physically being stolen. But, you would need a lot more efforts in software
to maintain security while the authorized user is actually using the
machine--especially if it is connected to the internet.
-Jeff
