File sharing (or rather files to not be shared)?

arciere

JustAnotherSaver wrote: »

Which is what i've been asking from the start.
To be honest, it might actually have been answered and i might have missed it so i actually do apologise if it's been answered

It's in the first reply to your post https://forums.moneysavingexpert.com/discussion/6084928/file-sharing-or-rather-files-to-not-be-shared#2

Folders permissions is the way to go.

getmore4less

If you like your drive solution I think you can just assign a folder as a drive and have a seperate folder for each user.

JustAnotherSaver

arciere wrote: »

It's in the first reply to your post https://forums.moneysavingexpert.com/discussion/6084928/file-sharing-or-rather-files-to-not-be-shared#2

Folders permissions is the way to go.

My understanding of permissions is that let's say there's 3 folders for 3 different people. Folder A, Folder B, Folder C.
You can assign permissions so that Person A can only access Folder A, so on & so forth.


*BUT* Person B can still SEE folders A & C, Person C can SEE folders A & B and Person A can still SEE folders B & C. They can try and get in to it but they'll be denied. This doesn't matter though - they can still see it in order to wish to get in to it. Forget that a permission prevents them from doing this - they can see it, so they can want to access it.



Now i'm happy to admit that my knowledge of computing is not up there so while that's my understanding of permissions i'm happy for someone to tell me that what i've just described isn't actually the case and that Person A can only SEE folder A, they wont actually know folders B & C exists because they wont see them.


However if i've understood properly then i'm afraid your solution does not fit what i am looking for.

Thank you for your suggestion, i will consider it, so on & so forth.

getmore4less wrote: »

If you like your drive solution I think you can just assign a folder as a drive and have a seperate folder for each user.

That rings a bell actually. I think i did something like that with VeraCrypt, although i may well be thinking of something entirely different. I don't know whether it's ringing the right bell but it's certainly ringing one. :rotfl:

that

JustAnotherSaver wrote: »

My understanding of permissions is that let's say there's 3 folders for 3 different people. Folder A, Folder B, Folder C.
You can assign permissions so that Person A can only access Folder A, so on & so forth.


*BUT* Person B can still SEE folders A & C, Person C can SEE folders A & B and Person A can still SEE folders B & C. They can try and get in to it but they'll be denied. This doesn't matter though - they can still see it in order to wish to get in to it. Forget that a permission prevents them from doing this - they can see it, so they can want to access it.



Now i'm happy to admit that my knowledge of computing is not up there so while that's my understanding of permissions i'm happy for someone to tell me that what i've just described isn't actually the case and that Person A can only SEE folder A, they wont actually know folders B & C exists because they wont see them.


However if i've understood properly then i'm afraid your solution does not fit what i am looking for.

Thank you for your suggestion, i will consider it, so on & so forth.



That rings a bell actually. I think i did something like that with VeraCrypt, although i may well be thinking of something entirely different. I don't know whether it's ringing the right bell but it's certainly ringing one. :rotfl:

as admin on c: you create 3 folders c:\ann c:\ben c:\chris. You make sure ann ben and chris are not admins and have limited security rights.

So that only ann can see c:\ann, right click on the c:\ann folder > properties > Security > Advanced> then
Click disable inheritance button > select Convert inherited Permissions....
add your admin account in there and give yourself all the rights - everything!
Remove all other accounts even the creator owner and system ones, but not your admin one
Add ann, but only give her modify, read and execute, list folder contents, read, write. tick only apply these permissions to objects within... box
Do the same for ben an chris

Problems:
a bootable linux usb reveals all - So veracrypt it.
Admin is not the highest account on the box. You can elevate privileges and do stuff, if you know how.
Although hidden , there are ways to delete things even if it is encrypted.

JustAnotherSaver

that wrote: »

as admin on c: you create 3 folders c:\ann c:\ben c:\chris. You make sure ann ben and chris are not admins and have limited security rights.

So that only ann can see c:\ann, right click on the c:\ann folder > properties > Security > Advanced> then
Click disable inheritance button > select Convert inherited Permissions....
add your admin account in there and give yourself all the rights - everything!
Remove all other accounts even the creator owner and system ones, but not your admin one
Add ann, but only give her modify, read and execute, list folder contents, read, write. tick only apply these permissions to objects within... box
Do the same for ben an chris

Problems:
a bootable linux usb reveals all - So veracrypt it.
Admin is not the highest account on the box. You can elevate privileges and do stuff, if you know how.
Although hidden , there are ways to delete things even if it is encrypted.

Regards the Veracrypt thing, as that is likely something i'll be using later - you could just delete the folder/drive and everything within it is gone, right? Is that what you mean?


Anyway back on topic. That sounds great. Could these people still install programs? If so then perfect. If only the admin could install programs and these people will be blocked from doing that then i don't know, although if that's the case then your suggestion is still one that i genuinely will consider, thanks.

that

veracrypt will hide the contents, but someone could delete the veracrypt file easily from a bootable linux cd, probably they can wipe the whole drive too.

Then there are 'previous versions' or shadow copies, another was of finding other peoples data.

The program files and program files (x86) have other rights, plus there is c:\uses and folders within, so you have to try it as I can not give you an definitive answer. Then there are portable apps which can be run from anywhere too. users have read only, but the trusted installer has full rights. By default, only admins can install software, but many a virus has bypassed this.
https://www.4winkey.com/windows-10/allow-users-to-install-software-without-admin-rights-in-windows-10.html

not on 10 Home, but on 10 pro there is group policy which is often used to restrict users. one such restriction allows you to black list file types from being executed

Personally would rename the admin account to Dave, and then create a new Admin that is a normal user. If you know what you are doing then the sid will reveal the admin account what ever you call it, but it does keep put the uninitiated

If you do the steps on the previous post, and remove the admin, I am sure that the admin will not have access. BUT the admin will see the folder name. The owner of the folder can assign new users to that directory. If the admin is not the owner, the admin can take ownership, and then assign users in security
https://www.isumsoft.com/windows-10/how-to-prevent-users-from-installing-software-in-windows-10.html

A better and easier way could be to make 3 virtual PCs one each for ann, ben and chris?

Another way would be to make Ann a member of the Administrators group, which should allow her to install, then use efs on c:\ann. this is tied to each users account https://www.tenforums.com/tutorials/77130-encrypt-files-folders-efs-windows-10-a.html
https://www.youtube.com/watch?v=Avtwf4qlrPo
https://www.youtube.com/watch?v=rnuCitzSgQ8

How is this all going to be backed up?

if you need for someone to install software and have private folders a veracrypt (or efs or similar software) file is the only secure way, unless you want to store stuff on a windows sever domain, or cloud storage. I agree with JohnMcl7, that you will end up tying yourself up in security issues

I have never done this to anyone's pc, but regularly (many times a day) do thhe steps on a frevious post for server users. If I had this done to me on a home PC i would use a boot linux usb or cd, and then if that too was disabled then the device may become 'very unreliable', or unused! I'd start by grabbing all the free space, so that everyone else will start moaning at you

Johnmcl7

JustAnotherSaver wrote: »

Anyway back on topic. That sounds great. Could these people still install programs? If so then perfect. If only the admin could install programs and these people will be blocked from doing that then i don't know, although if that's the case then your suggestion is still one that i genuinely will consider, thanks.

No, they can't install software or make any system changes because that needs admin rights and if the user has admin rights they can override any security settings you have on the system.

I'm not sure why you keep dismissing arciere as I agree with what they're saying, what you want can be achieved through folder permissions. If you create the root folder with say three user folders but you don't give any permissions on the root folder and only give each user the permissions on their own folder, they won't be able to browse the root folder and see the other user folders. The obvious problem I can see with this setup is that they won't be able to browse to their own file share and instead will need to use a shortcut but this could be mitigated by using shortcuts or remapping the profile folders.

That said I've never used such a setup (always given users basic list folder contents permissions, security through obscurity rarely works) and only tested it briefly so may well not work well in practice.

that wrote: »

A better way could be to make 3 virtual PCs one each for ann, ben and chris?

How is this all going to be backed up?

I think that's a great idea and reading through the thread I keep thinking separating the Windows installs would be the most straightforward way to achieve it. I have implemented horribly complicated security permissions in the past and inevitably people don't find it really does what they want and a simpler solution is needed.

getmore4less

Agree with the idea to go virtual PC, drop multi user.

Sandbox each user behind a single password much simpler.

Terabytes of personal data you don't want sharing seems a lot.

JustAnotherSaver

Johnmcl7 wrote: »

I'm not sure why you keep dismissing arciere as I agree with what they're saying, what you want can be achieved through folder permissions.

Because there's ways and means.


Look at how "that" has communicated to me. Look at how "esuhl" communicated to me and look how "DoaM" aside from the part where there was a little misunderstanding communicated to me. People make out like i'm a 'big bad guy' who has attitude throughout around here but then look how i communicated back to these people.
Then look at arciere in comparison and look how i then respond.


Now sure i don't expect you to agree with me there. It's not what happens here. You'll defend arciere, say they're 100% in the right and my posts were totally uncalled for. That's generally what happens around here but you've asked a question and i've given you my answer, i'm not asking for you to agree with it.


That's just one side of it though.
The other side of it is this whole permissions thing. If you can show me how setting up folder permissions achieves what i have specifically asked then great. Go ahead and i'll hold my hand up and say i got it wrong.
Sure, A wont be able to access B or C, B wont be able to access A or C and C wont be able to access A or B but like i said, if you can show me that setting up permissions achieves what i have specifically asked for ...... then i will hold my hand up and say sorry i was wrong. Until then it's just a case of it sort of fits the bill but not totally ... which is therefore not what i asked for and therefore why i keep dismissing them.






Regards Virtual PC - i'm well aware this is going to sound like i'm being dismissive again, but i have tried Virtual PCs before and they seem very very slow. I gave up in the end.


And yes terabytes is a lot, but then at the same time does it make a difference? I struggle to think how it would. Unless the suggestion was going to go in to the realms of USB sticks if the volume was much less? I don't know, i'm just trying to think of suggestions that don't answer the question that might've been suggested.

debitcardmayhem

JustAnotherSaver wrote: »

snipped....

That's just one side of it though.
The other side of it is this whole permissions thing. If you can show me how setting up folder permissions achieves what i have specifically asked then great. Go ahead and i'll hold my hand up and say i got it wrong.
Sure, A wont be able to access B or C, B wont be able to access A or C and C wont be able to access A or B but like i said, if you can show me that setting up permissions achieves what i have specifically asked for ...... then i will hold my hand up and say sorry i was wrong. Until then it's just a case of it sort of fits the bill but not totally ... which is therefore not what i asked for and therefore why i keep dismissing them.
.....snipped

One big problem is that A or B or C is you so you can do as you please with their data, then most of your premises or questions have holes in them which frankly I find it is not surprising that people can’t get in their heads what you are saying. Do these other users log on the local machine, or do they remote in? Windows server or linux/unix is the way to go if remote, if local any of them can see all the data on the machine.