Private folders

[nguser]

I will look into this. Sounds great.

I understand the password risks and would take appropriate steps to protect
it but I had not thought about the implications of hiding a folder from the
operating system and the resulting catastrophic effects of recovering from a
crash.

I do not keep disk images of the hard drive. I only back up my data files.
I've been using computers for a very long time and I used to backup the
entire hard drive to disk when it was practical to do so, back in the DOS
days, when the OS fit into a couple of floppies and the entire contents of
my meager 20MB hard drive were easily backed up on a few ZipDisks.

I'm need to purchase an external drive and start backing up my data more
often that I do. Thanks for the cautionary note.

 

[John Wunderlich]

One is a computer idiot, the other is a high school tech nerd.
The teenager knows how to find stuff. He'll search for hidden
files and folders using wildcards and will locate any document in
the bowels of any computer.

I am using XP Pro.

1. Will encryption prevent them only from opening the files or
will they be able to see the filenames in Explorer but prevent
"accidental" deletions of the encrypted files?

With Truecrypt, they will only be able to see the container file but
nothing inside it.

2. Will I need to specifically encrypt every file I use/create or
will I be able to encrypt a folder and all its subfolders and
files? Obviously, I'm looking for a solution that is not labor
intensive. It would be nice to have a Business folder and simply
encrypt it and everything in it.

In a nutshell the way TrueCrypt works is that you create a large
"container file" that you name anything you want anywhere you want
(including USB thumb drives and network drives). Truecrypt then
allows you to "mount" this file (with the correct password) as if it
were another disk drive. Once mounted, you simply read/write to
this virtual drive as if it were a real drive. When dismounted,
everything you read or write to this disk drive is stored encrypted
and is inaccessible.

Truecrypt is freeware and just happens to be about the best freeware
I've come across. It allows instant privacy with virtually no
impact to your current mode of operation.

<http://www.truecrypt.org>

Good luck,
John

 

[Tom Porterfield]

1. Will encryption prevent them only from opening the files or will they
be able to see the filenames in Explorer but prevent "accidental"
deletions of the encrypted files?

Encryption will prevent them from accessing the files. They won't be able
to open the file and they won't be able to delete the file. If they can
access the folder that the files are in, which as you already know then can
do by taking ownership, they will be able to see the files.

2. Will I need to specifically encrypt every file I use/create or will I
be able to encrypt a folder and all its subfolders and files? Obviously,
I'm looking for a solution that is not labor intensive. It would be nice
to have a Business folder and simply encrypt it and everything in it.

If you encrypt a folder, all files that are placed in that folder, including
new ones, will be encrypted as well. When you encrypt a folder, you have
the option of specifying whether or not you want sub-folders encrypted as
well.

There are several important points.

1) If others are admins on your machine, what is to stop them from changing
your account password and logging in under your account? The answer is
nothing.

2) If you set the encryption attribute on a folder, any other user who is
admin can clear that attribute. That won't remove encryption from any files
in the folder that were not encrypted under their ID, but it would mean that
any new files added to the folder would no longer be encrypted.

3) If you go with this type of encryption, make sure you fully read up on
it and the implications.

4) Absolutely make sure you back up the security certificate that is used
to encrypt the files. If you need to get to those files in a recovery type
situation, recovery will be impossible if you don't have that certificate.

5) Read http://support.microsoft.com/kb/223316/.

6) Read
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx.

7) I strongly recommend you consider getting a separate PC for your
business stuff that only you can access.

 

[Paul Johnson]

I share a computer with three users. It is my computer and two of the
other users have Administrator privileges.

Only Administrator should have Administrator privileges, no other accounts
should be set to Administrator. Administrator should not be used for
anything except system configuration and maintenance. Setting daily,
normal use accounts to Administrator leaves your system much more open to
malware, malicious content on websites and in email, and good old fashioned
user error. System security is your friend: Don't deliberately disable
it.

Although I do not want to prevent them from adding/removing programs

Yes, you do, unless you trust them enough to have the Administrator
password. Installing programs means installing malware as well, whether
through conscious effort or by accident. Forcing them to use Administrator
eliminates accidents.

and accessing some shared files,

File permissions are your friends.

I do not want to let them into My Documents folder. I tried removing all
the user names except mine from the security tab of the My Documents
Properties.[...]nothing prevents them from going into the security tab and
taking ownership of the folder, thus accessing my files.

Administrators bypass most security permissions, so this is operating
exactly how you misconfigured it to by giving administrator rights to
normal user accounts to begin with.

When I log in as them, although initially access is denied to
the other Administrators,

Either they told you their password, or there is no password on those
accounts. All accounts should have strong passwords set. Accounts with no
password are a security risk, especially accounts with Administrator
rights.

 

[Paul Johnson]

No. All Admin users can access all of the machine......you have two
options - encryption

Ineffective. Administrators have access to everybody's encryption keys.

or put your documents on a removable drive and take
it out each time you end your session.....

That just sidesteps the actual problem: Insecure user permissions.

 

[Paul Johnson]

Please don't quote in TOFU order instead of conversational order.
http://wiki.ursine.ca/Best_Online_Quoting_Practices

If your main concern is Word and Excel files, protect them all with
passwords to keep them from being opened. It's not very strong encryption,
but it's better than nothing.

It's worse than nothing: Weak encryption that can be broken in a matter of
minutes serves only to give a false sense of security.

 

[Paul Johnson]

Please avoid quoting in reverse order.
http://wiki.ursine.ca/Best_Online_Quoting_Practices

One is a computer idiot, the other is a high school tech nerd. The
teenager
knows how to find stuff. He'll search for hidden files and folders using
wildcards and will locate any document in the bowels of any computer.

Limited accounts definitely a must in this environment if you don't want
things changing constantly.

I am using XP Pro.

1. Will encryption prevent them only from opening the files or will they
be able to see the filenames in Explorer but prevent "accidental"
deletions of the encrypted files?

Encryption just encrypts the file, nothing more. Encryption will not
protect against someone who has Administrator privileges from digging for
your secret key and decrypting it themselves. This is another reason
day-to-day use accounts should be Limited users.

 

[Paul Johnson]

Please avoid quoting in reverse order.
http://wiki.ursine.ca/Best_Online_Quoting_Practices

I don't mind letting the kids add their game programs and their preferred
applications for listening to music, watching videos, and playing games
but their "accidental" deletion of files and their pretending not to
remember what they did is a common occurrence.

While you're not going to be able to do a thorough audit of the software
unless you stick to free software[1], still should be concerned about users
installing software. If you're the only one who can, it makes it much
easier to track down potential problems down the road and adds an extra
layer of "is this obviously malware before I install this?" protection.
Security should never be taken too lightly.

I also would prefer not to have to personally install every game or
program they want or need to use so, reluctantly, I made the older kid and
my wife administrators. It is amazing how the two feign amnesia with
identical facial gestures!

Anything but limited user is just asking for trouble then.

It is a family computer but I also run a small business and keep invoices,
accounts receivable data, customer profiles, tax data, etc. on the
computer.

Nobody should have anything higher than Limited user, especially on systems
with data you care about or are connected to the net.



[1] http://en.wikipedia.org/wiki/free_software

 

[Bruce Chambers]

I share a computer with three users. It is my computer and two of the other
users have Administrator privileges. Although I do not want to prevent them
from adding/removing programs and accessing some shared files, I do not want
to let them into My Documents folder.

I tried removing all the user names except mine from the security tab of the
My Documents Properties. When I log in as them, although initially access
is denied to the other Administrators, nothing prevents them from going into
the security tab and taking ownership of the folder, thus accessing my
files.

Suggestions?

As long as the other users have administrative privileges, they can
access anything they want. Rethink your "security" posture.


--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrand Russell

 

[nguser]

As long as the other users have administrative privileges, they can access
anything they want. Rethink your "security" posture.

OK. OK. Uncle!
I have changed all users to limited accounts.

Thanks to all for the many replies. I am now reformed.

 

[Rock]

OK. OK. Uncle!
I have changed all users to limited accounts.

Thanks to all for the many replies. I am now reformed.

Lol..good work.

 

[Gordon]

That just sidesteps the actual problem: Insecure user permissions.

We ARE talking Windows here... ;-)

 

[JoeSpareBedroom]

Please don't quote in TOFU order instead of conversational order.
http://wiki.ursine.ca/Best_Online_Quoting_Practices


It's worse than nothing: Weak encryption that can be broken in a matter
of
minutes serves only to give a false sense of security.

Yes, but he's dealing with his family. Granted, kids can get weird as they
get older, but if he needs a temporary solution TODAY, this isn't all that
bad.

 

[Paul Johnson]

We ARE talking Windows here... ;-)

True. But just because Windows encourages you to make a bajillion
Administrator accounts for daily use doesn't mean Limited isn't what you
really need for daily drivers.

 

[Paul Johnson]

Yes, but he's dealing with his family. Granted, kids can get weird as they
get older, but if he needs a temporary solution TODAY, this isn't all that
bad.

If it's a network connected machine that can see the greater Internet, it's
not necessarily just his family he's dealing with in a worst case scenario.
Expect the best, be prepared for the worst.

 

[Paul Johnson]

http://wiki.ursine.ca/Best_Online_Quoting_Practices
Please don't quote in reverse order.

how tech-savvy are these users? You could try hiding your username
folder under the Documents and Settings directory

Security through obscurity is no security at all. Microsoft playing this
game with security-critical bug disclosure should be all you needed to
learn this one...