Vista RTM not secure?

[Guest]

Hi there,

I have been given by my local computer shop a trial of Vista RTM that will
expire in 30 days unless I buy a key.

The two things I find very annoying and breaches security is - the fact that
an administrator account is able to search and access other users' folders.

For instance, I can easily access my brother's administrator user folder
(mine is also an administrator) through the 'Users' folder.

Although we are both administrators, hadn't Microsoft think EVERYBODY needs
their privacy? If one is able to be trusted to have administrator privileges,
one is also entitled to administrator privacy.

I have chat files and other personal data that my snoopy brothers would love
to open and have a read.

My question is, how can I keep all users' privacy without sacrificing
administrator privileges?

Looks Microsoft has put soooo much time into network security that they've
forgotten an important thing - the fact that a thief can get a hold of your
computer and use an administrator account to steal whatever he wishes.

Can anyone please help me? Also, when using the search function, it also
retrieves results from ALL users on the PC, administrator or not.

This is frankly annoying me, and I don't want to go out and buy an $800 NZ
software just so I can have my privacy compromised.

So far this privacy breach is the only thing that is flawed in Vista for me.
And it is flawed enough for me to not buy Vista unless I can get a fix for
this.

Thanks for looking, I hope you can help me.

 

[Richard Cocks]

This is true of any operating system, physical security for PCs is near
non-existant on a software level, if it were it would be impossible to
troubleshoot a dead computer a lot of the time. In the end anyone can always
find the disk and stick it into a different machine and read it there.

There is an option to "encrypt user folders" in Vista which at least goes a
little way to securing data but at the end of the day, a systems
administrator needs to be someone who has access and control over the whole
computer.

I'd recommend just having both users as "power users" and encrypting user
folders, you shouldn't find
youself being limited very often (and when you are it may be possible to
"run as administrator" and just enter the admin password when prompted) and
it'll give you and your brother the privacy from each other that you desire.

Rich

 

[Richard G. Harper]

The fix is to follow best practice and not have every computer user be an
administrative user. Making every user an administrative user defeats most
of the enhancements in security that Vista contains. There should be one
administrative user and that account should only be used when installing
software or actually doing administrator-type stuff and the rest of the time
everyone else, including you, should be logging on as standard users.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Guest]

This is true of any operating system, physical security for PCs is near
non-existant on a software level, if it were it would be impossible to
troubleshoot a dead computer a lot of the time. In the end anyone can always
find the disk and stick it into a different machine and read it there.

There is an option to "encrypt user folders" in Vista which at least goes a
little way to securing data but at the end of the day, a systems
administrator needs to be someone who has access and control over the whole
computer.

I'd recommend just having both users as "power users" and encrypting user
folders, you shouldn't find
youself being limited very often (and when you are it may be possible to
"run as administrator" and just enter the admin password when prompted) and
it'll give you and your brother the privacy from each other that you desire.

Rich

Hi Rich. Thanks for the tip, but how do I encrypt our user folders? It
cannot be by BitLocker, because my motherboard BIOS apparently doesn't
support TPM, which is needed for BitLocker.

So, by encrypting my user folder, another administrator cannot access my
user folder through the 'Users' folder?

By encrypting our user folders, will it also prevent the search function to
retrieve results from another user's account?

 

[Guest]

The fix is to follow best practice and not have every computer user be an
administrative user. Making every user an administrative user defeats most
of the enhancements in security that Vista contains. There should be one
administrative user and that account should only be used when installing
software or actually doing administrator-type stuff and the rest of the time
everyone else, including you, should be logging on as standard users.

--

Thanks for the input. In my PC, there are three user accounts: my big
brother's, my parents', whose account is also used by a lot by my little
brother, and my account.

My big brother's and my account needs to be administrator because we are the
biggest users of the PC and being standard users would hinder our needs. I
have made my parents' account standard to prevent my little brother from
looking at my files, but I cannot stop my big brother,

Does anybody know how to keep privacy between to administrators. without
sacrificing other administration privileges?

 

[Leslie Crystal]

Hi, Phil. I am the only user of my computer. I have an administrative
account set up, but always operate from a standard user account and it
doesn't hinder my needs. I can always "run as administrator" from my
standard account if I need to.

The fix is to follow best practice and not have every computer user be an
administrative user. Making every user an administrative user defeats
most
of the enhancements in security that Vista contains. There should be one
administrative user and that account should only be used when installing
software or actually doing administrator-type stuff and the rest of the
time
everyone else, including you, should be logging on as standard users.

--

Thanks for the input. In my PC, there are three user accounts: my big
brother's, my parents', whose account is also used by a lot by my little
brother, and my account.

My big brother's and my account needs to be administrator because we are the
biggest users of the PC and being standard users would hinder our needs. I
have made my parents' account standard to prevent my little brother from
looking at my files, but I cannot stop my big brother,

Does anybody know how to keep privacy between to administrators. without
sacrificing other administration privileges?

 

[Guest]

Hi, Phil. I am the only user of my computer. I have an administrative
account set up, but always operate from a standard user account and it
doesn't hinder my needs. I can always "run as administrator" from my
standard account if I need to.

Hi Leslie, standard accounts limit or will take longer for me to do
administrative stuff....such as installing something on a standard account,
which will come up with a message saying I need to be logged on as an
administrator and I cannot do the 'Run as Administrator' at that point.

I remember back with my WinXP, I cannot access my brother's user folder, and
it says it has 0 files and is 0 byte in size, does that mean it's encrypted?

If yes, how do I do this? How can I make my folder inaccessible by anyone
but me?

 

[Jimmy Brush]

Hello,

- Right-click the folder
- Click Properties
- Click Advanced
- Click "Encrypt contents to secure data"
- Click OK

The system will nag you to create an emergency backup of your encryption
key - you should DO THIS. If you have a thumb drive, stick the backup on
your thumb drive and keep it safe.

If you should forget your password or someone should delete your account,
you will NOT be able to access your files.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Guest]

Hello,

- Right-click the folder
- Click Properties
- Click Advanced
- Click "Encrypt contents to secure data"
- Click OK

The system will nag you to create an emergency backup of your encryption
key - you should DO THIS. If you have a thumb drive, stick the backup on
your thumb drive and keep it safe.

If you should forget your password or someone should delete your account,
you will NOT be able to access your files.

Hi, Jimmy. Thanks for that. Now, once my user folder is encrypted, other
administrators wouldn't be able to access my user folder, and cannot retrieve
results from my user folder?

And what is an encryption key? Could you please explain to me what
encryption is in details?

 

[Jimmy Brush]

Correct ... your files will be encrypted (garbled) and will only be able to
be accessed from within your account.

The "key" is what is used to unlock your files. It is stored inside your
user account and can only be used while you are logged in.

Anyone trying to access your files outside of your account will not be able
to do so, since they won't have access to your key.

You should backup your key so that if you forget your password or something
terrible happens, you will have a way to access your files.

Without a backup of your key, you will lose your files if you lose access to
your account.

The encryption is the best solution, as there is no way around it. You could
also change permissions on your personal folder to remove the access that it
gives to administrators, but there are ways around that restriction if the
other user is an administrator.

However, if the other person isn't very "technically advanced" they may not
know how to go about bypassing the restriction, so that may be a better
option for you, as it won't put your data in as much risk as encryption.

To use this second option, perform the following steps:

- Click start
- Type: cmd
- Right-click cmd when it appears
- Click Run As Administrators
- Type the following commands into the command prompt EXACTLY as shown,
pressing enter after each line:

cd %userprofile%
icacls . /remove Administrators

(The last command will take a few minutes to complete)

--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Guest]

Correct ... your files will be encrypted (garbled) and will only be able to
be accessed from within your account.

The "key" is what is used to unlock your files. It is stored inside your
user account and can only be used while you are logged in.

Anyone trying to access your files outside of your account will not be able
to do so, since they won't have access to your key.

You should backup your key so that if you forget your password or something
terrible happens, you will have a way to access your files.

Without a backup of your key, you will lose your files if you lose access to
your account.

The encryption is the best solution, as there is no way around it. You could
also change permissions on your personal folder to remove the access that it
gives to administrators, but there are ways around that restriction if the
other user is an administrator.

However, if the other person isn't very "technically advanced" they may not
know how to go about bypassing the restriction, so that may be a better
option for you, as it won't put your data in as much risk as encryption.

To use this second option, perform the following steps:

- Click start
- Type: cmd
- Right-click cmd when it appears
- Click Run As Administrators
- Type the following commands into the command prompt EXACTLY as shown,
pressing enter after each line:

cd %userprofile%
icacls . /remove Administrators

(The last command will take a few minutes to complete)

Thank you very much, Jimmy.

But how can the backup key let me access my account? I mean, let's say I did
forget my password. How can I use the key to access my account?

I have DVD+RW discs and an MP3 player. Both can store data. Are they
suitable for key backups?

 

[Jimmy Brush]

You'd have to have one of your family members change your password so you
could log in, and then you would have to perform the following procedure:

http://windowshelp.microsoft.com/Windows/en-US/Help/2bfc10ba-0869-47cd-9fb2-aee51a8a375a1033.mspx


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Jimmy Brush]

Both those devices are OK to use for backups, as long as you can plug them
in to your computer and stick files on them.

The backup is just a file.

I would recommend your MP3 player if possible ... I doubt they would think
to look there (assuming they even know what you did) .


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Kerry Brown]

You must have at least two copies of the certificate (keys) used to encrypt
the files. It is very important to test encrypting a few files, transfer
then to another computer, transfer the certificate, and decrypt the files.
Until you can do this successfully DO NOT USE EVES. If for any reason the
keys are not available the data cannot be decrypted by anyone, anywhere.
There is no back door. If your hard drive fails you won't be able to read
the backup files. If another user changes your password for a joke you will
loose the data in the files. If your user profile gets corrupted by malware
you will loose the data in the files. Make sure you have at least two copies
of the certificate and you know how to use them.

 

[David J. Craig]

It is not the encryption key. It is the certificate that can be exported to
a USB key or somewhere else for safety. Anyone who has that cert can gain
access to the files, but even the owner cannot if he looses the cert. If an
admin changes your password to obtain access to your account, they can't
gain access to your encrypted files if you don't let them have the cert. If
you don't have the cert saved, after they change your password, you will
loose your files.

 

[Guest]

Thank you all for that. Will try encrypting and see what happens.

If I run into problems, please help me...again!

Cheers all!

 

[Kerry Brown]

Darn spell checker. Should be "Until you can do this DO NOT USE EFS."

 

[Guest]

Wait....so if I needed to reformat my hard drive, and I backed up all my
files on a DVD, I can't access the backed up files on the DVD if I don't have
the certificate/key?

 

[Kerry Brown]

I can't say this strongly enough. Make sure you understand how EFS works and
test it before using it. You will loose data otherwise.

 

[David J. Craig]

It depends upon how the backup was made. If it backed up the encrypted data
and not the plaintext, then kiss it goodbye. Just using the same user ID
and password will not generate the same certificate two times in a row or
the encryption would be broken.