1.    05 Mar 2017 #1
    Join Date : Dec 2015
    Posts : 25
    windows

    trying to secure a backup folder, can't read w/o allowing rename


    I am using an image backup program (easeus' todo) and I've got a folder on my L: drive at the top level (i.e. L:\securebackup). I want this folder to only be accessible for write/changes by a particular account (mybackups). I normally run in another user account (myaccount) though this has admin privs.

    I want to be able to read the folder and read the contents from myaccount (and mybackups, but nobody else, including administrator(s)). I have other folders on this L: device that I use normally, i.e. I don't want to make the L: device completely protected, just the one top level folder in that device.

    Here's what I've done, (I have win 10 professional)

    From the mybackups account:


    1. create a folder securebackup, then select it, do properties
    2. security tab
    3. advanced
    4. disable inheritance
    5. (option 2) remove all inherited permissions (no access records remain)
    6. add mybackups and give it full permissions
    7. add myaccount, give it only list folder/read data (from advanced permissions)


    From myaccount this still lets me move the folder to another folder, rename it, or delete (move to trash). I have not tried to see if I can overwrite files in this directory, but I can't seem to read the files in it, although I can drill down the directories inside it.

    In addition, even though the todo backup program can write to the directory (other accounts cannot) somehow the owner of the files it creates have an owner of Administrators, instead of mybackups (which the creating program was running under). This could be an easeus/todo issue, but I'm not sure, and it doesn't seem to be what's causing me to still have access from myaccount.

    My goal is to be able to create protected image backups that cannot be modified by any account except mybackups. This should protect from ransomware programs that would try to encrypt the files. Even if I was attacked, and all other files would be lost, I should still have a complete image backup to restore from (the backups are created daily automatically).

    But if malware can move the folders and rename them, then I'm not feeling so secure.

    Anyone know why I'm still able to rename or move the protected directory?

    How might you approach this task?


    I
      My ComputerSystem Spec
  2.    06 Mar 2017 #2
    Join Date : Mar 2015
    Sydney, NSW
    Posts : 93
    Windows 10

    Quote Originally Posted by rocket777 View Post
    From myaccount this still lets me move the folder to another folder, rename it, or delete (move to trash).
    This is expected. As far as permissions are concerned, renaming and moving are synonymous to deleting, and you have not denied myaccount from deleting the folder, hence it may be moved or renamed. To prevent an item’s deletion the parent folder must not permit “Delete subfolders and files” (specifying any inheritance flags regardless of the type of the target item, strangely) and the item itself must then not have an allow on “Delete”.

    Quote Originally Posted by rocket777 View Post
    I have not tried to see if I can overwrite files in this directory, but I can't seem to read the files in it, although I can drill down the directories inside it.
    You should be able to traverse and read data with that permission. Double check that you’ve set the correct inheritance flags. Preferably, it should be set to “This folder, subfolders and files”.

    Quote Originally Posted by rocket777 View Post
    In addition, even though the todo backup program can write to the directory (other accounts cannot) somehow the owner of the files it creates have an owner of Administrators, instead of mybackups (which the creating program was running under). This could be an easeus/todo issue, but I'm not sure, and it doesn't seem to be what's causing me to still have access from myaccount.
    Nothing exciting here either. You mention that you’re running the backup software as administrator. Guess what the default owner for items created by administrative applications is.

    Quote Originally Posted by rocket777 View Post
    My goal is to be able to create protected image backups that cannot be modified by any account except mybackups. This should protect from ransomware programs that would try to encrypt the files. Even if I was attacked, and all other files would be lost, I should still have a complete image backup to restore from (the backups are created daily automatically).
    A very preceptive apprehension to security. Sounds like you have a very prestigious set up happening. My data isn’t even that valuable to merit such worries...
      My ComputerSystem Spec
  3.    06 Mar 2017 #3
    Join Date : Dec 2015
    Posts : 25
    windows
    Thread Starter

    Quote Originally Posted by Pyprohly View Post
    Sounds like you have a very prestigious set up happening. My data isn’t even that valuable to merit such worries...
    I've had to deal with ransomware twice. The first time was before the encrypting versions where they just set the hidden bit on all my folders and turned off "show hidden files".

    The second time was when my friend was hit with the new encryption ransomware. It became my job to restore her system. Rebuilding that was hugely painful, even though her data files were backed up.

    I guess I need to provide a protection at the drive level. I would still like to only protect the backup folder to this extent, but I don't see how to do that w/o protecting all the folders the same way. I guess some trial and error is needed.

    You should be able to traverse and read data with that permission. Double check that you’ve set the correct inheritance flags. Preferably, it should be set to “This folder, subfolders and files”.
    I have verified that this is indeed the case. When in myaccount, I view the directories (nested down a few levels) but I cannot copy the files all the way below the mybackup directory. The inheritance seems to work, i.e. there's only the same two access records that the parent has.

    File explorer says "you'll need to provide administrator permission to copy this folder". The image file is data, but it is listed as a type folder. Ideally, I'd like to be able to use the feature whereby the backup files can be browsed. I assume that's just a read operation.

    One puzzle though, when I look at the effective access for myaccount, I expected to only see list folder/read data, but also there's read permissions and change permissions. The checkmark is on top of a small icon with 2 people. All the others are X'd out with access limited by file permissions. As mentioned, this file's owner is Administrators. When setting (in advanced) permissions, these 2 are definitely not checked.

    I wish I could figure out how to set up the auditing to tell me why it rejects my copy. I wonder if it is actually complaining on the writing side of the copy? But the browsing is also denied, so then again....

    Thanks for the detailed answers.
      My ComputerSystem Spec
  4.    06 Mar 2017 #4
    Join Date : Jul 2015
    Posts : 3,755
    10 Pro

    Quote Originally Posted by rocket777 View Post
    I've had to deal with ransomware twice. The first time was before the encrypting versions where they just set the hidden bit on all my folders and turned off "show hidden files".

    The second time was when my friend was hit with the new encryption ransomware. It became my job to restore her system. Rebuilding that was hugely painful, even though her data files were backed up.
    Ransomware can encrypt any connected drive if running with administrator privileges. It will undo any authorities you have placed so honestly you may as well not bother.

    It is also fairly trivial to write a script to elevate to use administrator privileges without even prompting if your user is part of administrators group. “Fileless” UAC Bypass Using eventvwr.exe and Registry Hijacking | enigma0x3

    Best would be to run as standard user (not a local Admin) and make backups to a drive that is normally physically disconnected.

    Quote Originally Posted by rocket777 View Post
    One puzzle though, when I look at the effective access for myaccount, I expected to only see list folder/read data, but also there's read permissions and change permissions
    You could have a look with icacls D:\Whatever - it should be more explicit.
      My ComputerSystem Spec
  5.    06 Mar 2017 #5
    Join Date : Dec 2015
    Posts : 25
    windows
    Thread Starter

    Quote Originally Posted by lx07 View Post
    Ransomware can encrypt any connected drive if running with administrator privileges. It will undo any authorities you have placed so honestly you may as well not bother.

    It is also fairly trivial to write a script to elevate to use administrator privileges without even prompting if your user is part of administrators group. “Fileless” UAC Bypass Using eventvwr.exe and Registry Hijacking | enigma0x3

    Best would be to run as standard user (not a local Admin) and make backups to a drive that is normally physically disconnected.

    You could have a look with icacls D:\Whatever - it should be more explicit.
    Currently, when I log into the administrator account, I have no access to the folder as I've set it up. I guess the malware could always write directly to the drive, but why should it bother, when 99% of all other systems are wide open.

    I will consider turning off admin for my user account. I have done that on a laptop and it's not too restrictive.

    I also want to make the backups automatic. I have a script that wakes up another computer and copies modified files to that computer and then shuts it down. I guess I could set that up for my backup images.

    From both administrator and myaccount:

    L:\>icacls whatever
    whatever: Access is denied.
    Successfully processed 0 files; Failed processing 1 files

    If it can't access the files, it shouldn't be able to change the settings. But then Microsoft has blundered before.

    From the backup account I see:

    L:\>icacls whatever
    L:\whatever mycomputer\mybackup (OI)(CI)F
    mycomputer\myaccount (OI)(CI)(special access)
    SYNCHRONIZE
    FILE_READ_DATA

    I don't know what synchronize is. And I still don't understand why I can't read the files from myaccount.

    Thanks for the post.
      My ComputerSystem Spec
  6.    07 Mar 2017 #6
    Join Date : Mar 2015
    Sydney, NSW
    Posts : 93
    Windows 10

    Quote Originally Posted by rocket777 View Post
    Quote Originally Posted by Pyprohly View Post
    You should be able to traverse and read data with that permission. Double check that you’ve set the correct inheritance flags. Preferably, it should be set to “This folder, subfolders and files”.
    I have verified that this is indeed the case. When in myaccount, I view the directories (nested down a few levels) but I cannot copy the files all the way below the mybackup directory. The inheritance seems to work, i.e. there's only the same two access records that the parent has.
    I’m sorry. I rechecked my understanding and what you’ve observed would be the correct expectation. For access rights that display twofold—divided by a slash—such as “List folder / read data”, the left part would be the part relevant to folders with the alternative on the right ignored, and it’s vice versa for files. If you check “List folder / read data” on a folder and have the permission inherit, subfolders will effectively gain “List folder” and child files will get “read data”.

    Testing reveals that “List folder / read data” alone is not enough to read the data of a file. The “List folder / read data” and “Read extended attributes“ access rights are the minimum access rights needed to open the contents of a file.


    Quote Originally Posted by rocket777 View Post
    L:\>icacls whatever
    L:\whatever mycomputer\mybackup (OI)(CI)F
    mycomputer\myaccount (OI)(CI)(special access)
    SYNCHRONIZE
    FILE_READ_DATA
    Don’t be misleading now; you’re not using Icacls here, but Cacls.

    The purpose of the “Synchronize” access right is not really relevant for end users, hence you don’t get the option to set it through the GUI. You can easily lookup what it means, though I’m confident the definition will be abstruse for most.


    I suggest granting “Read” permissions to myaccount. This is what you’re aiming for.
    Code:
    L:\>icacls whatever
    whatever mycomputer\mybackup:(OI)(CI)(F)
             mycomputer\myaccount:(OI)(CI)(R)
    
    Successfully processed 1 files; Failed processing 0 files
      My ComputerSystem Spec
  7.    07 Mar 2017 #7
    Join Date : Jan 2015
    Posts : 673

    Are these backups being made onto a sub-directory of a hard-drive that remains active in the computer from work day beginning until work day ending? Besides the OS HD, are there other internal or external hard-drives that work all day long?
      My ComputerSystem Spec
  8.    07 Mar 2017 #8
    Join Date : Dec 2015
    Posts : 25
    windows
    Thread Starter

    Quote Originally Posted by Pyprohly View Post
    Don’t be misleading now; you’re not using Icacls here, but Cacls.

    I suggest granting “Read” permissions to myaccount. This is what you’re aiming for.
    Code:
    L:\>icacls whatever
    whatever mycomputer\mybackup:(OI)(CI)(F)
             mycomputer\myaccount:(OI)(CI)(R)
    
    Successfully processed 1 files; Failed processing 0 files
    Oops, when I sanitized the output, (couldn't directly copy/paste between accounts) I edited the results to hide the true file and account names and had forgot to copy the actual command. You are right, when I added read (from the basic) settings, it actually added 3 read permissions that you can see by selecting to show the advanced settings.

    And sure enough, once I had it as you suggest, I can now read and browse the files.

    I think the read problem was that it thinks the image file is a folder. The program does this, I guess, in order to support the browsing, sort of like when you d-click on a zip file.

    Thanks for the help.
      My ComputerSystem Spec
  9.    07 Mar 2017 #9
    Join Date : Dec 2015
    Posts : 25
    windows
    Thread Starter

    Quote Originally Posted by RolandJS View Post
    Are these backups being made onto a sub-directory of a hard-drive that remains active in the computer from work day beginning until work day ending? Besides the OS HD, are there other internal or external hard-drives that work all day long?
    Yes, the system has just 2 ssd's one for OS one for backup. It's on a home lan with several older computers (that have the large rotating disks and triple monitors). It's not at a workplace and I have complete control over whatever I want to do.

    Years ago I was hit with a simpler version of the ransomware that only hid my files. AFter I found the backups, an image restore worked. But I then realized that if they could damage the backup files, I'd have lost quite a bit. I also periodically copy the backup files to another system on my lan to a system that isn't up all the time and has a huge drive for backups of all my systems. But that's done manually and I get forgetful sometimes.
      My ComputerSystem Spec
  10.    07 Mar 2017 #10
    Join Date : Jan 2015
    Posts : 673

    That's great that you have existing backups "offline" as well!
      My ComputerSystem Spec

 


Similar Threads
Thread Forum
Rename user folder?
Hello. I guess since i installed windows 10 using my microsoft account, my user folder got named after my microsoft mail, or some part of it anyway. So am wondering if it's possible to rename the user folder somehow?
User Accounts and Family Safety
Is it okay to rename macrium backup files
I have renamed a macrium from its long chain of letters and numbers to simply D backup 010417. I read in another posting here that macrium sometimes will not restore a backup file that has been renamed. I'm trying to determine if this is in fact...
Backup and Restore
Can't create folder or rename folder. Just upgraded to windows 10
can some one help me?
General Support
Rename user folder?
Hello, it's not much of an issue just a personal preference, however how would I go about to changing my user folder name? Thanks.
User Accounts and Family Safety
Solved Cannot Rename Folder in Edge Favorites
As the title says. I can right-click on a folder in Edge favorites and click rename. Once the new name is typed in there seems to be no way to save it. No matter what I do it reverts to the previous name. Is it like this for everyone else? Jim
Browsers and Email
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 06:27.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums