File sharing (or rather files to not be shared)?

debitcardmayhem

Post #56 They are all admins , you are going round in circles, 3 admins all bets are off

AndyPix

JustAnotherSaver wrote: »

The bit in bold - thanks for that. You actually read what i've been saying and you actually paid attention to it by putting in there one key word ........ "IF".


Your second post confuses me though. Does that mean the above wouldn't apply then (since mksysb is correct)?

Well yes, if all users are admins then they can just change the permissions so they can view the contents of DATA .. (presuming they know how).


Look, you are asking for a solution here that suits the level of expertise of your users, but not specifying that level.


Your original solution of hiding the drive letter can be easily changed by an admin if they know what they are doing.


And the bit of my post that you bolded, what I meant by that is that if someone has physical access to the computer and they know enough, then they will be able to access the data no matter what you do.


You have multiple solutions above now - pick one that will "defeat" the level of knowledge of your users and do it

DoaM

AndyPix wrote: »

pick one that will "defeat" the level of knowledge of your users and do it

An inquisitive user with admin rights who knows how to use Google = potential carnage.

AndyPix

Yeah - just the same as his/her original solution .. Like I said, there isn't a solution that will keep someone out if they can physically access the machine ..


His original solution where he/she removed the drive letter seemed to work for him, so if the users have that level of skill then the posted solution should suffice.

that

There is a way - sort of but is a nasty set up, and i am unsure it could be a hit and miss on newer setups.

It involves long file names (including directories. should this be disabled and the 6th directory shared, it possibly could be accomplished.

I created c:\1\2\3\4\5\6, shared 6, from 5 to 1 made them all long file paths. Explorer could not open them, however could view their long file paths and name. Also could get into the share that \\My_PC_Name\6_shared. The MS notepad could not open it and file Explorer could not see it on out old version here at work under windows.

Like "c:\temp\Inrarecircumstancesyourpersonalallowance(theamountyoucanearntax-free)maybedifferenttotheamountsabovebutyourtaxcodeletterwilltellyouThiscouldbebecauseyouhaveacompanycaryouowetaxoryoursavingsinteresttakesyouoverthethreshold(seesaving1\....."

I also did not disable my long file paths in the registry, which I manually put in ages ago and keep checking - really do not want to mess with my setup, and the ability to see long files. However Libreoffice x64 could see the file in there and open it.

I even with long file name support disabled, Robocopy will still be able to access the files, as we have this issue at work, and Robocopy deals with long file names very well, even though our restore software and "previous versions" can't. 7zip will also would be able to get hold of it.

Johnmcl7

I don't see how setting long file paths is going to help, any admin can reset the permissions and pull the full paths from the registry then simply copy that path and do the same mapping themselves. Or they can simply map up as far as the standard file explorer will let them, browse the path and remap further up again.

that

Johnmcl7 wrote: »

I don't see how setting long file paths is going to help, any admin can reset the permissions and pull the full paths from the registry then simply copy that path and do the same mapping themselves. Or they can simply map up as far as the standard file explorer will let them, browse the path and remap further up again.

True, but it is more hassle, the folders have to be renamed in order, from top down, you cant just rename the bottom one. there is no real way in and only the very end is shared, but you can make it a tad more difficult for the uninitiated. If you look for the share ind dos, the path length is too great for the line to handle (you may have to make it more than 6 level though?)

It baffles most of our helpdesk at work, and users too

Edit: there is another odd-ball that keeps admins out, but you can grab it if you try hard enough, and that is the profile folder, and within it make a directory and share it. When a new roaming profile directory is created, Windows disables permission inheritance and grants SYSTEM and the profile’s user account full control also makes the user the owner. That makes user profiles inaccessible to administrators which prevents them from performing maintenance.

JustAnotherSaver

AndyPix wrote: »

Look, you are asking for a solution here that suits the level of expertise of your users, but not specifying that level.

Ok, sorry to cut out everything else you said and i'm purposely not responding to anyone else simply because i want to shed light on the bit i put in bold and just focus completely on that for a minute.


So i am being 100% genuine here when i say ...... are you serious????

Johnmcl7

that wrote: »

True, but it is more hassle, the folders have to be renamed in order, from top down, you cant just rename the bottom one. there is no real way in and only the very end is shared, but you can make it a tad more difficult for the uninitiated. If you look for the share ind dos, the path length is too great for the line to handle (you may have to make it more than 6 level though?)

There's no need to rename anything, you simply go into the registry, grab the path from the other profile and map the drive under your own profile. It doesn't matter if you have it a million folders down it's simply seconds to find it.

Even without the registry path you can move down the folder path yourself and map the drive under your own profile to bypass the character limit and get access to the files.

It baffles most of our helpdesk at work, and users too

So does setting basic file permissions but the OP has made it abundantly clear many, many times that these other users are technical enough to be able to do that therefore trying to hide anything when they have full system access is completely pointless. It will take any tech savvy user a matter of seconds and even non-tech savvy user nothing more than a few google searches to do the same. It makes any security through obscurity approach completely pointless and likely to cause other headache in day to day use.

Edit: there is another odd-ball that keeps admins out, but you can grab it if you try hard enough, and that is the profile folder, and within it make a directory and share it. When a new roaming profile directory is created, Windows disables permission inheritance and grants SYSTEM and the profile’s user account full control also makes the user the owner. That makes user profiles inaccessible to administrators which prevents them from performing maintenance.

It doesn't matter if inheritance is disabled, if you have full ownership of the container folder you can force permissions back to the sub-folders. I've had issues with corruption where sub folders lost all permissions including system and owner but could still reset the permissions by forcing the owner and then taking permissions back.

This is why as has been made clear many times already if you give everyone admin rights then you can't restrict anything.

JustAnotherSaver

I feel like i've missed a chunk of posts.


Or someone has been posting on my account or something.


Something isn't adding up here at all and without seeing what's on your computer screens then i will probably never know for 100%.