Password protecting/encrypting files & folders

  • Thread starter Thread starter Matt Modica
  • Start date Start date
M

Matt Modica

Is it possible to password protect or encrypt folders? I am trying to
prevent someone logged on as a guest to view certain files on the D: drive.
I have Windows XP home and have the NTFS file system. I tried the program in
this thread http://www.opentechsupport.net/forums/showthread.php?t=41119,
but it failed to install. I heard there is a file/folder encryption built
into Windows, but haven't figgured it out. Any suggestions?
 
Matt said:
Is it possible to password protect or encrypt folders? I am trying to
prevent someone logged on as a guest to view certain files on the D:
drive. I have Windows XP home and have the NTFS file system. I tried
the program in this thread
http://www.opentechsupport.net/forums/showthread.php?t=41119, but it
failed to install. I heard there is a file/folder encryption built
into Windows, but haven't figgured it out. Any suggestions?
Click to expand...

Do not use the Guest account. Create a "Visitors" account and lock it
down as desired with the Group Policy Editor. Put the files in a folder
and set permissions for access to the users/groups you want.

For questions about using Group Policy, post here:
microsoft.public.windows.group_policy

How to set, view, change, or remove special permissions for files and
folders in Windows XP -
http://support.microsoft.com/default.aspx?scid=kb;en-us;308419

Malke
 
Malke said:
Do not use the Guest account. Create a "Visitors" account and lock it
down as desired with the Group Policy Editor. Put the files in a
folder and set permissions for access to the users/groups you want.

For questions about using Group Policy, post here:
microsoft.public.windows.group_policy

How to set, view, change, or remove special permissions for files and
folders in Windows XP -
http://support.microsoft.com/default.aspx?scid=kb;en-us;308419

Malke
Click to expand...

Sorry for the double-post - I misread your question and thought you had
XP Pro and you don't. You won't have the Group Policy Editor in XP
Home. You still should not be using the Guest Account. Make the
"Visitor" account instead. There is a rather complicated and
unsupported way to be able to adjust permissions on XP Home (from MVP
Steve Winograd). If you are feeling wild and crazy, let me know and
I'll post the information - which I've never tried.

What would probably work better for you is to put the files you want to
keep private in a zip file and password-protect the zip archive. When
you do (right click a folder, then "send to > compressed folder") and
then open the zip file, you will find an option under file>"add a
password". Otherwise, use third-party software. Google "password
protect folders".

Malke
 
It might help to know that all the files I want to protect are on the D:
partition (also NTFS), so using the "crazy" option to completly hide that
drive on the guest acount would be OK.
 
Matt said:
It might help to know that all the files I want to protect are on the
D: partition (also NTFS), so using the "crazy" option to completly
hide that drive on the guest acount would be OK.
Click to expand...

Well, I'll give you my notes from MVP Steve Winograd but I'd back up
everything first. There are *no* guarantees this won't completely hose
your entire operating system. I still think you'd be better off just
zipping the files. Disabling the Simple Sharing is what will give you
the Security tab and the ability to set permissions on the folder. When
you read "I" in the procedures below, that is Steve talking. I, Malke,
have never done this and so make absolutely no claims about its
efficacy or what it will do to your system. OK, we all clear about
this? Still don't want to just zip the files in folders?

***
Unauthorized ways to disable Simple Sharing on XP Home Edition. Make
sure to set restore point first.

A. from MVP Doug Knox:
http://www.microsoft.com/ntserver/nts/downloads/recommended/scm/default.asp

Instructions: Download the x86 (Intel) version of the Security
Configuration Manager and save it to your hard disk. Double click the
SCESP4I.EXE file you downloaded and extract the contents to a temporary
location on your hard disk. Then open the folder you extracted the
files to and locate the Setup.inf (Setup Information) file. Right
click Setup.inf and select Install. After the installation is
finished, reboot your computer.

If the download link on the page, listed above, does not work, try this
one - ftp://ftp.microsoft.com/bussys/winnt/winnt-public/tools/SCM

Right click the SCESP4I.EXE file and select Copy to Folder). Make sure
to read the README files!!!!
Disclaimer: I have tested this procedure on my XP Home installation,
and it works. I cannot guarantee that it will work on your system.
Make sure you create a System Restore point before proceeding.
WARNING: Adjusting the permissions on a drive, file or folder can lock
even the Administrator account out of that drive/file/folder. Deny
Permissions take precedence over Allow Permissions, regardless of your
group membership. Administrators are members of the User's group, by
default. Uncheck Allow, rather than using Deny.

B. Use CACLS, per Ron Lowe:

XP home is more tricky, for 2 reasons.
1) You cannot disable Simple File Sharing - so you cannot access the
Security tab;
2) You cannot disable Simple File Sharing - so all incoming connections
authenticate as Guest. We can't do anything about (2), but we can work
around (1) to that Guest has the same permissions as other folders.
There are 2 ways to do it:
1) Boot to safe mode and manipulate the folder permissions there ( Add
the
'Everyone' group );
or
2) Go to a command prompt.
Change Directory to the parent of the target folder. Use the CALCS
command to change the folder permissions:

We will go to a command prompt window, and use the CACLS command. In
this example, I'm making my profile directory (C:\Docs+Setts\Ron )
accessible across the network:

# First, notice that the command prompt window has opened
# with the profile directory I wish to edit as my current working
# directory ( C:\Docs+Sets\Ron ). I'm going to move up one level,
# to C:\Docs+Sets so the Ron directory is visible to me.
C:\Documents and Settings\Ron>cd ..
# Can I see the directory I want to edit?
# Let's try the DIR command and see...
C:\Documents and Settings>dir
Volume in drive C has no label.
Volume Serial Number is C4C5-AAB4
Directory of C:\Documents and Settings
12/06/2005 14:06 <DIR> .
12/06/2005 14:06 <DIR> ..
12/06/2005 13:45 <DIR> All Users
12/06/2005 14:06 <DIR> Ron
0 File(s) 0 bytes
4 Dir(s) 15,526,223,872 bytes free
# Ah, yes, there it is.
# Let's look at the existing permissions:
C:\Documents and Settings>cacls ron
C:\Documents and Settings\Ron BUILTIN\Administrators:(OI)(CI)F
XP-HOME-VPC\Ron:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
# Now, add the Everyone group, which includes Guest:
# the last 'C' means I'm granting read/write access to everyone
# including the Guest account across the network.
# Replace the 'C' with 'R' for read-only ( eg backing up ).
C:\Documents and Settings>cacls ron /E /G Everyone:C
processed dir: C:\Documents and Settings\Ron
#Now, lets look at the permissions again:
C:\Documents and Settings>cacls ron
C:\Documents and Settings\Ron BUILTIN\Administrators:(OI)(CI)F
XP-HOME-VPC\Ron:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
Everyone:(OI)(CI)C
# Now the folder is accessible across the network.
# All the contents of the folder are too, because they
# inherit the parent folder's permissions.
# This works with the Program Files folder too.
C:\Documents and Settings>cd ..
C:\>cacls "program files" /E /G Everyone:C
processed dir: C:\Program Files
C:\>cacls "program files"
C:\Program Files BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)(IO)F
Everyone:(OI)(CI)C
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Users:(OI)(CI)R
# This is now accessible across the network too.
***
OK, there you have it. Good luck.

Malke
 
It worked! Thanks for the help
In case you were wondering, this is what I did:
I installed the setup file and went into the security tab. I did not see the
"Guests" group, so I went to "Add..." and selected "Users" as the object
type. I then entered "Guest" (the name of the guest account) and clicked OK.
The guest acount appeares under the list. I then clicked "Deny" access to
everything but full control (If I unchecked "Allow" to everything but Full
control, the guest acount would dissappear from the list). Now if I log in
as the Guest and double click on the D: drive, I get an "Access is denied"
message, but I can still access it as the administrator.
 
The opensource encryptor http://www.truecrypt.org/ was recommended to me (By
a Falun Gong practitioner as it happens, guess when you're opposing the
largest, most hardline government in the world you need good encryption ;-)

Gave it a try and it seems quite impressive, much easier to use than
Windows' encryption, plus you can easily transfer an encrypted folder to
another disk, USB key, or whatever and decrypt it elsewhere. As always the
proviso applies that you could lose the data if you're not duly careful with
the passwords.
 
Matt said:
It worked! Thanks for the help
In case you were wondering, this is what I did:
I installed the setup file and went into the security tab. I did not
see the "Guests" group, so I went to "Add..." and selected "Users" as
the object type. I then entered "Guest" (the name of the guest
account) and clicked OK. The guest acount appeares under the list. I
then clicked "Deny" access to everything but full control (If I
unchecked "Allow" to everything but Full control, the guest acount
would dissappear from the list). Now if I log in as the Guest and
double click on the D: drive, I get an "Access is denied" message, but
I can still access it as the administrator.
Click to expand...

Wow! I'm happy for you. Thanks for taking the time to post the solution.

Malke
 
Back
Top