Restricting Access to certain files

[Teo]

Hi!!
Is there a way I can restrict access to certain files on a local machine
that will enable extra securities on it. For example, unable to be emailed,
printed, etc.
Is there a solution that provides that?

Thanks much in advance,

Teo

 

[Mike Bright MSP]

Teo,

Apply permissions to the file. Providing you are using
XP Professional you can apply a permission to make the
file unreadable to any user but yourself.

For some more information on setting permissions on file
and folder, look at the below link's:

http://www.microsoft.com/resources/documentation/windows/x
p/all/proddocs/en-us/acl_applyonto_permissions.mspx

http://www.microsoft.com/technet/prodtechnol/winxppro/main
tain/filesharing.mspx

http://support.microsoft.com/?kbid=308418

If you need help with setting it up, post back

Regards

Mike Bright MCP, MSP

e:[email protected]

 

[Chris Ard [MSFT]]

Not natively in XP no. XP is not that granular. You can do things such as
limit a user so they can only read a file but not modify it or delete it.
What you are referring to is known as Digital Rights Management (DMR).
This is available as part of Office 2003 and Windows Server 2003.

http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.m
spx

Chris Ard
Security Support
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Doug Knox MS-MVP]

Uh, Chris, what about this scenario?

3 users
1) Doug (Administrator)
2) Bob (Limited User)
3) Administrator (Administrator)

Folder C:\Customer Information

Security Properties for the above folder:
1) User - Doug (has full control)
2) User - System (has full control)

All other Users and Groups are removed from this folder's Security properties page.

Why would Bob be able to access anything in the C:\Customer Information folder? Bob can see that the folder exists, but when he tries to open it, he gets access denied. Apply this same methodology, and allow inheritance of permissions, to the root directory of a drive and Bob can't even open the drive.

An Adminstrator can always adjust the permissions and security settings, but Bob is pretty well out of the picture.

The only thing you really need to be cautious of is the use of the Deny option, particularly when applying it to Groups (Deny Users denies everyone on the machine).

Windows XP Pro provides VERY granular control over who can access what on any physical disk.

 

[Doug Knox MS-MVP]

Teo,

Additionally, you don't mention whether you're running XP Pro or Home. XP Pro with Simple File Sharing turned off, does allow for a great amount of control over what users/groups can access what files and folders. XP Home does not offer this level of control, by default.

To do this, you must be running NTFS as your file system on the drive in question. If your hard disk/partition is not NTFS you will need to convert it. To do this, open a Command Prompt window and enter the following command:

CONVERT X: /FS:NTFS

Where X: is the drive letter you wish to convert. You may also want to see http://www.aumha.org/a/ntfscvt.htm to ensure that you're getting the optimal conversion.

After this step is completed and you've rebooted the computer, if necessary:

XP PRO: In Windows Explorer, go to Tools, Folder Options, View and uncheck Use Simple File Sharing. Now, when you right click on a drive, folder or file (on an NTFS partition) and select Properties, you'll see a Security tab. Here you can assign or deny permissions based on user name or user group membership.

XP Home: By default, you can only make files and folders under My Documents "private". This is done by right clicking a folder or file and selecting Properties, Sharing. To change the permissions on other folders, you need to boot the computer to Safe Mode and log in on the built in Administrator account. In this mode, you'll see the Security tab in Properties, and you can assign permissions based on user name or group membership.

HOW TO: Set, View, Change, or Remove File and Folder Permissions in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308418

HOW TO: Set, View, Change, or Remove Special Permissions for Files and Folders
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308419

HOW TO: Disable Simplified Sharing and Password-Protect a Shared Folder in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;307874

 

[Richard]

From reading the original post, it sounds like he doesn't
want to block other users from viewing the document. He
wants to, for example, let them view the document but not
print it. Or, users can view and edit the document, but
not attach it to an e-mail. XP is pretty granular, but its
not THAT granular.

-----Original Message-----
Uh, Chris, what about this scenario?

3 users
1) Doug (Administrator)
2) Bob (Limited User)
3) Administrator (Administrator)

Folder C:\Customer Information

Security Properties for the above folder:
1) User - Doug (has full control)
2) User - System (has full control)

All other Users and Groups are removed from this folder's Security properties page.

Why would Bob be able to access anything in the

C:\Customer Information folder? Bob can see that the
folder exists, but when he tries to open it, he gets
access denied. Apply this same methodology, and allow
inheritance of permissions, to the root directory of a
drive and Bob can't even open the drive.

An Adminstrator can always adjust the permissions and

security settings, but Bob is pretty well out of the
picture.

The only thing you really need to be cautious of is the

use of the Deny option, particularly when applying it to
Groups (Deny Users denies everyone on the machine).

Windows XP Pro provides VERY granular control over who

can access what on any physical disk.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

""Chris Ard [MSFT]"" <[email protected]>

wrote in message

 

[Doug Knox MS-MVP]

True, but the only way to do those things is to restrict all access to the file. I might have read it a little too "restrictively"

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

From reading the original post, it sounds like he doesn't
want to block other users from viewing the document. He
wants to, for example, let them view the document but not
print it. Or, users can view and edit the document, but
not attach it to an e-mail. XP is pretty granular, but its
not THAT granular.

-----Original Message-----
Uh, Chris, what about this scenario?

3 users
1) Doug (Administrator)
2) Bob (Limited User)
3) Administrator (Administrator)

Folder C:\Customer Information

Security Properties for the above folder:
1) User - Doug (has full control)
2) User - System (has full control)

All other Users and Groups are removed from this folder's Security properties page.

Why would Bob be able to access anything in the

C:\Customer Information folder? Bob can see that the
folder exists, but when he tries to open it, he gets
access denied. Apply this same methodology, and allow
inheritance of permissions, to the root directory of a
drive and Bob can't even open the drive.

An Adminstrator can always adjust the permissions and

security settings, but Bob is pretty well out of the
picture.

The only thing you really need to be cautious of is the

use of the Deny option, particularly when applying it to
Groups (Deny Users denies everyone on the machine).

Windows XP Pro provides VERY granular control over who

can access what on any physical disk.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

""Chris Ard [MSFT]"" <[email protected]>

wrote in message

http://www.microsoft.com/windowsserver2003/technologies/rig
htsmgmt/default.m
.

 

[Mike Bright MSP]

Personally I read it the same way as use did Doug, hence
why I mentioned Permissions.

Guess it can be taken a few ways

Mike Bright MCP, MSP

e:[email protected]