Security fits
September 13, 2004 3:42 PM   Subscribe

WindowsXP, 250 gig shared backup hard drive, and a lab full of people with sensitive information that needs to be backed up on said drive but shouldn't be accessible by anyone other than the user who put it there. Security is giving me fits and I'd appreciate some helpful advice. [more gory details inside]

we have a lab full of computers. all of us need to back up our stuff but a lot of us have sensitive documents we'd rather not share with everyone else (student/co-worker evaluations, course material, test banks, etc.) we have only one spot to back up, a 250 gig USB hard drive attached to our lab server. we all have our own designated back-up folder on this drive. here's where it gets fun:

the drive is shared on the network to our lab computers only. we're not in a domain, just firewalls between us and the outside, access limited by IP range. there's probably not much i can do about this as we don't have control over the network, just our computers. so far anything i copy to this drive is openly shared with everyone else in our lab, and i can't seem to lock it down such that any one network user can only read/modify one folder. everyone in the lab is currently using Win2K Pro or WinXP Pro.

using my own stuff as a test case, i tried creating a user on the lab server, encrypting files, then logging off. when the system restarts the default account has access to all my encrypted files. i don't know why. if i do the reverse (encrypt then log on with my settings) i can't open the encrypted file.

i tried limiting access for that file to my user account only, ocking out the default lab account we normally run on the machine. no luck. if the default lab account is locked out, nobody can access the files through the network.

only thing i can think of is that the default lab account used to be the old Win2K administrator account before i renamed it while upgrading to XP.

so... anybody else actually get something like this to work? any third-party solution that will cost us as little as possible? oh, i ought to mention that my PI is very non-technical, so whatever solution i come up with will have to continue to work after i've left the lab. any help at all here is appreciated.

(and yes i do realize that "secure" in this instance ain't really so secure - we're not trying to keep out hard-core hackers here, we're just trying to make sure we have a simple data backup solution while also keeping the people in our lab from having one-click access to their own employee reviews.)
posted by caution live frogs to Computers & Internet (5 answers total)
clf: I think you might be on to something with the renamed admin account theory...the SID has likely followed the renamed account. Could you create a new lab account? Other than that, you seem to have covered all the bases...I wish I could help more; Workgroup security is somewhat lacking. Sorry!
posted by Richat at 3:59 PM on September 13, 2004

Try 'cacls' at the command line, it allows you to modify permissions for individual users and groups in XP.

Maybe too late, but it would be much easier if your file server was Linux.
posted by the fire you left me at 4:56 PM on September 13, 2004

Response by poster: t.f.y.l.m. - yes, it would be easier with linux, or if XP actually supported remote encryption, but sadly it's lacking (and as for linux, see above comment regarding my PI - i had to take time today to help her copy a file through the network, and she was thrilled at the idea of mapping a network drive. not excactly the sort of person who'd be comfortable with linux...

richat, the more i think about it the more i think that might be right. in XP the default admin account can automatically read encrypted files of other users as a backup, right? i think i'll need to dupe the admin account so our default isn't the built-in admin any more... that might help.
posted by caution live frogs at 6:37 PM on September 13, 2004

Since your Windows machines are not in a Domain, you will have to create accounts for each user on the lab server. Then you can change the permissions on each user's folder to only allow access by that user. That user will then have to logon to the share. This will not prevent someone with an admin equivalent account from logging onto the lab server and adding themselves back to the files and folders in question. The only way to solve this would be to take away admin privs from regular users.
posted by internal at 8:52 AM on September 14, 2004

Response by poster: figured it out. the steps here are:

(1) remove (don't deny, just remove) access for everyone excpet the desired user account in sharing.

(2) disable security inherited permissions, don't copy any existing permissions. remove (again don't explicitly deny) access for everyone, except system and the desired user.

i was able to lock the files, both locally and on the network, for any user not using the desired name/password. others get a permission denied/you do not have access error.

this does of course mean that all users who wish to lock their files need an account on the machine, but that's not a big deal. i figured i'd need to do that anyway.

i think where i got into trouble was trying to explicitly deny access for individuals, as i don't understand the windows heirarchy. just removing all checkmarks in the list of permissions for unwanted users solved the problem for me.
posted by caution live frogs at 2:39 PM on September 14, 2004

« Older I need a script to compare files in a directory to...   |   Streaming audio client - can you name it? Newer »
This thread is closed to new comments.