NTFS Security

[Guest]

If you want to add a bit of security to your Vista system AND have another
Windows OS installed, I'd recommend installing the other Windows OS onto a
Fat32 partition. This way if someone else uses your computer and you don't
want them to use Vista, or they don't want to use Vista, they wont be able to
see your files because you're Vista install is going to be installed in NTFS
right!?

There is so many ways and other OS's that can read NTFS, but a Windows
system in Fat32 cannot read NTFS. If you want another layer of security,
create separate accounts for yourself and other users of your Windows system,
also you can install some sort of file encryption software to use on your
personal files for even more security.

 

[AlmostBob]

Inline
--
-
Adaware http://www.lavasoft.de
spybot http://www.safer-networking.org
AVG free antivirus http://free.grisoft.com/
Etrust/Vet/CA.online Antivirus scan
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Super Antispyware http://www.superantispyware.com/
Panda online AntiVirus scan http://www.activescan.com
Panda online AntiSpyware Scan
http://www.pandasoftware.com/virus_info/spyware/test/
Catalog of removal tools (1)
http://www.pandasoftware.com/download/utilities/
Catalog of removal tools (2)
http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?CID=40387
Trouble Shooting guide to Windows http://mvps.org/winhelp2002/
Blocking Unwanted Parasites with a Hosts file
http://mvps.org/winhelp2002/hosts.htm
Cool Web Shredder http://www.trendmicro.com/cwshredder/
links provided as a courtesy, read all instructions on the pages before
use
Grateful thanks to the authors/webmasters
_

If you want to add a bit of security to your Vista system AND have another
Windows OS installed, I'd recommend installing the other Windows OS onto a
Fat32 partition. This way if someone else uses your computer and you don't
want them to use Vista, or they don't want to use Vista, they wont be able to
see your files because you're Vista install is going to be installed in NTFS
right!?

There is so many ways and other OS's that can read NTFS, but a Windows
system in Fat32 cannot read NTFS.

http://www.sysinternals.com/Utilities/NtfsWindows98.html wanna bet.

 

[Guest]

Can that program read/write to XP/Vista NTFS drives reguardless of
permissions as well? It only mentions NT/2000 and I can't really test it
since I don't have 98 anymore

I noticed that a limited account in XP (NTFS formatted) that the Vista
partition is pretty much protected, can't read the User Documents folders and
can't modify anything, which can be a really good thing. If you really wanted
to be able to, all that needs to be done is to log into XP's Admin and change
permissions, but by default I think that not being able to is a good security
choice.

 

[Robert Moir]

Can that program read/write to XP/Vista NTFS drives reguardless of
permissions as well? It only mentions NT/2000 and I can't really test
it since I don't have 98 anymore

Permissions are not some super secret forcefield that provides
cartoon-superhero strength protection to anyone who wears their
undergarments on top of their trousers and starts assigning permissions.
They are an operating system system convention that works very well inside
the operating system concerned but are no help against something working
outside the boundaries of the operating system.

I noticed that a limited account in XP (NTFS formatted) that the Vista
partition is pretty much protected, can't read the User Documents
folders and can't modify anything, which can be a really good thing.
If you really wanted to be able to, all that needs to be done is to
log into XP's Admin and change permissions, but by default I think
that not being able to is a good security choice.

Permissions are very good at what they do, but what they do isn't protect
you from people / systems that don't 'play by the rules'.

 

[Guest]

"Permissions are very good at what they do, but what they do isn't protect
you from people / systems that don't 'play by the rules'. "

Well said. I wonder if there will ever be a built in check to verify
permissions, I mean built into the filesystem and works kind of like XOR
(Vernam) so that way information couldn't be read/wrote/uncorrupted without
the permission being given from having the passcode.

 

[Robert Moir]

"Permissions are very good at what they do, but what they do isn't
protect you from people / systems that don't 'play by the rules'. "

Well said. I wonder if there will ever be a built in check to verify
permissions, I mean built into the filesystem and works kind of like
XOR (Vernam) so that way information couldn't be
read/wrote/uncorrupted without the permission being given from having
the passcode.

Bitlocker maybe?

 

[Guest]

Good idea, but the system and program files are still modifiable without
having the username/password. Encryption is good, but currently the system
files are still unprotected outside the OS. The sweet spot in my opinion
would be to have everything encrypted until a specific username/password is
entered which would then unencrypt specific areas, but not all areas. With
XOR, different keys can produce different extractions...so with 3 or 4
different keys you could have 3 or 4 different outputs from the same
encrypted file.

A bit more complicated, probably not something that'd be ready today, but
laptop thefts that stored personal/business info wouldn't be that huge of a
problem with a system like that. It would be much harder to replace a
system/program file with a malicious file, even from outside the OS, and the
I think encryption could even be done in hardware if wanted for an extra
speed boost.

 

[Guest]

Spoke too soon, it looks like BitLocker just might be able to protect a whole
partition, including system/program files.

 

[Roberto Baggio]

It will completely protect the operating system partition.

 

[Guest]

Have you gotten it to work yet? I re-did my disc so now there is only 2 OS
partitions and 1 for the BitLocker partition, all are NTFS and Primary. I am
still told "The drive configuration is unsuitable for BitLocker Drive
Encryption. To use BitLocker, please re-partition your hard drive according
to the BitLocker requirement." which according to the help files I have
already done.

Also there is the second message on the BitLocker page, "A TPM was not
found. A TPM is required to turn on BitLocker. If your computer has a TPM,
then contact the computer manufacturer for BitLocker-compatible BIOS." I
updated to the latest version of my BIOS but still a no-go, I have a USB
thumbdrive and have tried running BitLocker with it plugged in and still
nothing. There is something in the help files that mention the group policy,
gonna check into that...any advice?

 

[HDFatBoy2003]

I'm running RC 2 so I don't know if this works in RC1 or earlier.

Follow the instructions for the group policy changes. The disk arrangement
needs to be taken one step further. But be careful as your system will not
boot successfully after you make this required change. The non-system
partition needs to be the active partition on the drive. Since your
bootmanager is probably not installed on this newly active partition, Vista
won't boot up. You can insert the install DVD and perform a repair. Reboot
with the DVD still in the drive but don't boot from it this time. Vista
will now copy the bootmanager over to the new active partition. You won't
loose any of your data or settings.

Also, I believe you need to remove your CD\DVD drive from the boot order in
your BIOS for Bitlocker to be successful, at least I did and it worked. You
can use bitlocker without a TPM. I found that the USB flash drive needs to
be connected directly to your PC not through a hub.

 

[Guest]

Thanks, worked just fine, I'm kind of suprised that the instructions that
come with Vista make it seem so much easier. This is an added layer of
security for sure, not using it currently though because it seemed like it
would take a while to encrypt the 10Gigs on this hard drive, and then
unencrypt them. Does it have to decrypt and encrypt them everytime the OS
starts up and shuts down? If not then this might be ok.