trying to secure a backup folder, can't read w/o allowing rename

I am using an image backup program (easeus' todo) and I've got a folder on my L: drive at the top level (i.e. L:\securebackup). I want this folder to only be accessible for write/changes by a particular account (mybackups). I normally run in another user account (myaccount) though this has admin privs.

I want to be able to read the folder and read the contents from myaccount (and mybackups, but nobody else, including administrator(s)). I have other folders on this L: device that I use normally, i.e. I don't want to make the L: device completely protected, just the one top level folder in that device.

Here's what I've done, (I have win 10 professional)

From the mybackups account:

1. create a folder securebackup, then select it, do properties
2. security tab
3. advanced
4. disable inheritance
5. (option 2) remove all inherited permissions (no access records remain)
6. add mybackups and give it full permissions
7. add myaccount, give it only list folder/read data (from advanced permissions)

From myaccount this still lets me move the folder to another folder, rename it, or delete (move to trash). I have not tried to see if I can overwrite files in this directory, but I can't seem to read the files in it, although I can drill down the directories inside it.

In addition, even though the todo backup program can write to the directory (other accounts cannot) somehow the owner of the files it creates have an owner of Administrators, instead of mybackups (which the creating program was running under). This could be an easeus/todo issue, but I'm not sure, and it doesn't seem to be what's causing me to still have access from myaccount.

My goal is to be able to create protected image backups that cannot be modified by any account except mybackups. This should protect from ransomware programs that would try to encrypt the files. Even if I was attacked, and all other files would be lost, I should still have a complete image backup to restore from (the backups are created daily automatically).

But if malware can move the folders and rename them, then I'm not feeling so secure.

Anyone know why I'm still able to rename or move the protected directory?

How might you approach this task?


I

rocket777 said:

From myaccount this still lets me move the folder to another folder, rename it, or delete (move to trash).

This is expected. As far as permissions are concerned, renaming and moving are synonymous to deleting, and you have not denied myaccount from deleting the folder, hence it may be moved or renamed. To prevent an item’s deletion the parent folder must not permit “Delete subfolders and files” (specifying any inheritance flags regardless of the type of the target item, strangely) and the item itself must then not have an allow on “Delete”.

rocket777 said:

I have not tried to see if I can overwrite files in this directory, but I can't seem to read the files in it, although I can drill down the directories inside it.

You should be able to traverse and read data with that permission. Double check that you’ve set the correct inheritance flags. Preferably, it should be set to “This folder, subfolders and files”.

rocket777 said:

In addition, even though the todo backup program can write to the directory (other accounts cannot) somehow the owner of the files it creates have an owner of Administrators, instead of mybackups (which the creating program was running under). This could be an easeus/todo issue, but I'm not sure, and it doesn't seem to be what's causing me to still have access from myaccount.

Nothing exciting here either. You mention that you’re running the backup software as administrator. Guess what the default owner for items created by administrative applications is.

rocket777 said:

My goal is to be able to create protected image backups that cannot be modified by any account except mybackups. This should protect from ransomware programs that would try to encrypt the files. Even if I was attacked, and all other files would be lost, I should still have a complete image backup to restore from (the backups are created daily automatically).

A very preceptive apprehension to security. Sounds like you have a very prestigious set up happening. My data isn’t even that valuable to merit such worries...

Pyprohly said:

Sounds like you have a very prestigious set up happening. My data isn’t even that valuable to merit such worries...

I've had to deal with ransomware twice. The first time was before the encrypting versions where they just set the hidden bit on all my folders and turned off "show hidden files".

The second time was when my friend was hit with the new encryption ransomware. It became my job to restore her system. Rebuilding that was hugely painful, even though her data files were backed up.

I guess I need to provide a protection at the drive level. I would still like to only protect the backup folder to this extent, but I don't see how to do that w/o protecting all the folders the same way. I guess some trial and error is needed.

You should be able to traverse and read data with that permission. Double check that you’ve set the correct inheritance flags. Preferably, it should be set to “This folder, subfolders and files”.

I have verified that this is indeed the case. When in myaccount, I view the directories (nested down a few levels) but I cannot copy the files all the way below the mybackup directory. The inheritance seems to work, i.e. there's only the same two access records that the parent has.

File explorer says "you'll need to provide administrator permission to copy this folder". The image file is data, but it is listed as a type folder. Ideally, I'd like to be able to use the feature whereby the backup files can be browsed. I assume that's just a read operation.

One puzzle though, when I look at the effective access for myaccount, I expected to only see list folder/read data, but also there's read permissions and change permissions. The checkmark is on top of a small icon with 2 people. All the others are X'd out with access limited by file permissions. As mentioned, this file's owner is Administrators. When setting (in advanced) permissions, these 2 are definitely not checked.

I wish I could figure out how to set up the auditing to tell me why it rejects my copy. I wonder if it is actually complaining on the writing side of the copy? But the browsing is also denied, so then again....

Thanks for the detailed answers.

rocket777 said:

I've had to deal with ransomware twice. The first time was before the encrypting versions where they just set the hidden bit on all my folders and turned off "show hidden files".

The second time was when my friend was hit with the new encryption ransomware. It became my job to restore her system. Rebuilding that was hugely painful, even though her data files were backed up.

Ransomware can encrypt any connected drive if running with administrator privileges. It will undo any authorities you have placed so honestly you may as well not bother.

It is also fairly trivial to write a script to elevate to use administrator privileges without even prompting if your user is part of administrators group. “Fileless” UAC Bypass Using eventvwr.exe and Registry Hijacking | enigma0x3

Best would be to run as standard user (not a local Admin) and make backups to a drive that is normally physically disconnected.

rocket777 said:

One puzzle though, when I look at the effective access for myaccount, I expected to only see list folder/read data, but also there's read permissions and change permissions

You could have a look with icacls D:\Whatever - it should be more explicit.

lx07 said:

Ransomware can encrypt any connected drive if running with administrator privileges. It will undo any authorities you have placed so honestly you may as well not bother.

It is also fairly trivial to write a script to elevate to use administrator privileges without even prompting if your user is part of administrators group. “Fileless” UAC Bypass Using eventvwr.exe and Registry Hijacking | enigma0x3

Best would be to run as standard user (not a local Admin) and make backups to a drive that is normally physically disconnected.

You could have a look with icacls D:\Whatever - it should be more explicit.

Currently, when I log into the administrator account, I have no access to the folder as I've set it up. I guess the malware could always write directly to the drive, but why should it bother, when 99% of all other systems are wide open.

I will consider turning off admin for my user account. I have done that on a laptop and it's not too restrictive.

I also want to make the backups automatic. I have a script that wakes up another computer and copies modified files to that computer and then shuts it down. I guess I could set that up for my backup images.

From both administrator and myaccount:

L:\>icacls whatever
whatever: Access is denied.
Successfully processed 0 files; Failed processing 1 files

If it can't access the files, it shouldn't be able to change the settings. But then Microsoft has blundered before.

From the backup account I see:

L:\>icacls whatever
L:\whatever mycomputer\mybackup (OI)(CI)F
mycomputer\myaccount (OI)(CI)(special access)
SYNCHRONIZE
FILE_READ_DATA

I don't know what synchronize is. And I still don't understand why I can't read the files from myaccount.

Thanks for the post.

rocket777 said:

Pyprohly said:

You should be able to traverse and read data with that permission. Double check that you’ve set the correct inheritance flags. Preferably, it should be set to “This folder, subfolders and files”.

I have verified that this is indeed the case. When in myaccount, I view the directories (nested down a few levels) but I cannot copy the files all the way below the mybackup directory. The inheritance seems to work, i.e. there's only the same two access records that the parent has.

I’m sorry. I rechecked my understanding and what you’ve observed would be the correct expectation. For access rights that display twofold—divided by a slash—such as “List folder / read data”, the left part would be the part relevant to folders with the alternative on the right ignored, and it’s vice versa for files. If you check “List folder / read data” on a folder and have the permission inherit, subfolders will effectively gain “List folder” and child files will get “read data”.

Testing reveals that “List folder / read data” alone is not enough to read the data of a file. The “List folder / read data” and “Read extended attributes“ access rights are the minimum access rights needed to open the contents of a file.

rocket777 said:

L:\>icacls whatever
L:\whatever mycomputer\mybackup (OI)(CI)F
mycomputer\myaccount (OI)(CI)(special access)
SYNCHRONIZE
FILE_READ_DATA

Don’t be misleading now; you’re not using Icacls here, but Cacls.

The purpose of the “Synchronize” access right is not really relevant for end users, hence you don’t get the option to set it through the GUI. You can easily lookup what it means, though I’m confident the definition will be abstruse for most.


I suggest granting “Read” permissions to myaccount. This is what you’re aiming for.

Code:

L:\>icacls whatever
whatever mycomputer\mybackup:(OI)(CI)(F)
         mycomputer\myaccount:(OI)(CI)(R)

Successfully processed 1 files; Failed processing 0 files

Pyprohly said:

Don’t be misleading now; you’re not using Icacls here, but Cacls.

I suggest granting “Read” permissions to myaccount. This is what you’re aiming for.

Code:

L:\>icacls whatever
whatever mycomputer\mybackup:(OI)(CI)(F)
         mycomputer\myaccount:(OI)(CI)(R)

Successfully processed 1 files; Failed processing 0 files

Oops, when I sanitized the output, (couldn't directly copy/paste between accounts) I edited the results to hide the true file and account names and had forgot to copy the actual command. You are right, when I added read (from the basic) settings, it actually added 3 read permissions that you can see by selecting to show the advanced settings.

And sure enough, once I had it as you suggest, I can now read and browse the files.

I think the read problem was that it thinks the image file is a folder. The program does this, I guess, in order to support the browsing, sort of like when you d-click on a zip file.

Thanks for the help.

RolandJS said:

Are these backups being made onto a sub-directory of a hard-drive that remains active in the computer from work day beginning until work day ending? Besides the OS HD, are there other internal or external hard-drives that work all day long?

Yes, the system has just 2 ssd's one for OS one for backup. It's on a home lan with several older computers (that have the large rotating disks and triple monitors). It's not at a workplace and I have complete control over whatever I want to do.

Years ago I was hit with a simpler version of the ransomware that only hid my files. AFter I found the backups, an image restore worked. But I then realized that if they could damage the backup files, I'd have lost quite a bit. I also periodically copy the backup files to another system on my lan to a system that isn't up all the time and has a huge drive for backups of all my systems. But that's done manually and I get forgetful sometimes.