Re: Lock Folder
- From: "Vanguard" <vanguard.code@xxxxxxxxxxxxxx>
- Date: Wed, 14 Dec 2005 21:44:12 -0600
"Bruce Chambers" <bchambers@xxxxxxxxxxxx> wrote in message news:O4CU0KSAGHA.3936@xxxxxxxxxxxxxxxxxxxxxxx
Brian wrote:How Do I lock a folder and reqire a password to view that folder's contents??
Like Win2K, WinXP's file security paradigm doesn't rely on, or allow, the cumbersome method of password protection for individual applications, files, or folders. Instead, it uses the superior method of explicitly assigning file/folder permissions to individual users and/or groups.
Unfortunately there are failings with Windows security. Using permissions can be obviated by moving the drive to another host where the SIDs for the accounts for the permissions are unknown under the other instance of Windows, so none of the permissions are enforced (except for Administrator which gets the same SID under each instance of Windows). The Administrator in the other Windows box can take ownership of any file, especially for those with unknown SIDs, which would then allow the user of that other Windows box to manipulate all your files.
You could use EFS but it is susceptible to password cracking (the passwords are more easily cracked than the encryption by EFS). If the password is known, hacked, spied, or cracked then anyone can logon as you and the EFS certificate gets applied so all those EFS-protected files become accessible to that hacker. Granted that password aren't that easy to crack but so many users use weak and stupid passwords that often it isn't that difficult. You cannot wipe the password to "reset" the account because, as I recall, that results in blocking access to the EFS-protected files. I remember reading somewhere that passwords longer than 14 characters (which are saved as two 7-character strings rather than one long 14-character string) only need to be cracked up to the 14 characters.
If you use an encrypted container (for a drive, a partition, or a file-based container), the encryption is based on the password. So obviously the longer the password the more secure is the contents of the encrypted container. Also, with TrueCrypt, for example, you can select some super-high encryption methods but with the incumbent performance penalty to add or read files due to the longer time needed for the higher encryption method.
You can double up on the protections, too. There would be no point in using EFS to encrypt a TrueCrypt container (and I'm not sure it is allowed) but you could put permissions on the container. That would allow only certain accounts to have access to that encrypted container provided they knew the password to open it. Even if an admin tried to take ownership, he can't look inside the container (and the same for EFS if you ensure no admins or admin groups are included in the EFS certificate). So even if the drive "wandered" to another box where the SID recorded on that file regarding its permissions was an unknown SID and a user opened it or an administrator took ownership, they still cannot look inside of it.
For the functions already included in Windows XP Pro (EFS only comes in the Pro version), you could use permissions on an EFS-protected file or folder. If you are wary of EFS getting hack because someone managed to login using your credentials then use TrueCrypt, DriveCrypt, or some other encryption tool that uses an independent password (i.e., the password is different than your login password). Advantages of TrueCrypt (or the others) over EFS is that its encryption has nothing to do with your login credentials, you don't need to export certificates and reimport them to have access to your files (but you will have to remember the password), and usually offer higher encryption schemes than EFS.
From what I've read and seen regarding data security for business hosts toprevent someone stealing a laptop or hard drive to yank out the data, I really haven't seen a huge push to use EFS, and permissions are easily circumvented. That's why there are products like TrueCrypt (free and open source), DriveCrypt, BestCrypt, and SafeBoot (which, I believe, is no longer available in a personal version). If permissions and EFS were the ultimate security model, there would be no demand for these other products.
.
- References:
- Re: Lock Folder
- From: Bruce Chambers
- Re: Lock Folder
- Prev by Date: Re: .606 files
- Next by Date: Re: Tools Dump Passwords form Registry
- Previous by thread: Re: Lock Folder
- Next by thread: Problems setting permissions on Printer
- Index(es):
Relevant Pages
|
