New
#1
trying to secure a backup folder, can't read w/o allowing rename
I am using an image backup program (easeus' todo) and I've got a folder on my L: drive at the top level (i.e. L:\securebackup). I want this folder to only be accessible for write/changes by a particular account (mybackups). I normally run in another user account (myaccount) though this has admin privs.
I want to be able to read the folder and read the contents from myaccount (and mybackups, but nobody else, including administrator(s)). I have other folders on this L: device that I use normally, i.e. I don't want to make the L: device completely protected, just the one top level folder in that device.
Here's what I've done, (I have win 10 professional)
From the mybackups account:
- create a folder securebackup, then select it, do properties
- security tab
- advanced
- disable inheritance
- (option 2) remove all inherited permissions (no access records remain)
- add mybackups and give it full permissions
- add myaccount, give it only list folder/read data (from advanced permissions)
From myaccount this still lets me move the folder to another folder, rename it, or delete (move to trash). I have not tried to see if I can overwrite files in this directory, but I can't seem to read the files in it, although I can drill down the directories inside it.
In addition, even though the todo backup program can write to the directory (other accounts cannot) somehow the owner of the files it creates have an owner of Administrators, instead of mybackups (which the creating program was running under). This could be an easeus/todo issue, but I'm not sure, and it doesn't seem to be what's causing me to still have access from myaccount.
My goal is to be able to create protected image backups that cannot be modified by any account except mybackups. This should protect from ransomware programs that would try to encrypt the files. Even if I was attacked, and all other files would be lost, I should still have a complete image backup to restore from (the backups are created daily automatically).
But if malware can move the folders and rename them, then I'm not feeling so secure.
Anyone know why I'm still able to rename or move the protected directory?
How might you approach this task?
I