Permissions and how to use them

Page 1 of 3 123 LastLast

  1. Posts : 4
    Win10/11
       #1

    Permissions and how to use them


    Hello everyone, my first post! Currently running Win10.

    I'm playing with permissions and EFS encryption in an attempt to make some files and folders more secure. By this I mean: if my PC is stolen, then the encrypted files are safe from the person who now has my PC and their attempts to gain access.

    I set up a test folder with the intention of restricting who has various permissions regarding the folder. My first test was to deny all permissions for Administrators via Properties > Security > select Administrators > Edit > ticked deny for full control.

    However, when i double clicked the folder I received an error message You don't currently have permission to access this folder. I thought this was strange since my user account name in the permissions list has all ticks under the "allow" columns, as does Authenticated Users. Note, however, my login account is an administrator account. I would have thought that while all administrators are denied access, my user account would still have access. Obviously this appears to not be the case.

    To bar administrators, is my only option to set up a standard account then change the permissions regarding administrators? Any advice from the permissions gurus?

    Thanks.
      My Computer


  2. Posts : 4,185
    Windows 11 Pro, 22H2
       #2

    There is a difference between not granting an account access vs specifically denying access. Let's use an example.

    Say you have a user account JohnDoe and JohnDoe is a member of Administrators.

    You give JohnDoe "Full control" to a folder and all contents. JohnDoe now has full control access. Now, you add a deny to Administrators (as you did). Denys are always processed first. So, since JohnDoe is a member of Administrators, JohnDoe will be denied access even though he was given full control. Again, this is because denials are processed first.

    A better strategy would be to deny specific users access, or create a group that contains all the users you want to deny and then deny access to that group. Or, you could simply not make the user(s) in question Administrators.

    Hope that this helps!
      My Computers


  3. Posts : 4,185
    Windows 11 Pro, 22H2
       #3

    There is a difference between not granting an account access vs specifically denying access. Let's use an example.

    Say you have a user account JohnDoe and JohnDoe is a member of Administrators.

    You give JohnDoe "Full control" to a folder and all contents. JohnDoe now has full control access. Now, you add a deny to Administrators (as you did). Denys are always processed first. So, since JohnDoe is a member of Administrators, JohnDoe will be denied access even though he was given full control. Again, this is because denials are processed first.

    If you had simply not given permission to the entire Administrators group, and also had not set a denial, then JohnDoe woe have access because you granted him access and no denials are blocking him. But, other Administrators would not have access.

    A better strategy would be to deny specific users access, or create a group that contains all the users you want to deny and then deny access to that group. Or, you could simply not make the user(s) in question Administrators.

    One more note: Be aware that Administrators can forcibly take ownership!

    Hope that this helps!
      My Computers


  4. Posts : 295
    Windows 10 Pro
       #4

    I would refrain from messing around with permissions unless you fully understand what you're getting into. And by that I mean lots of reading and having the knowledge necessary to reverse something you may need in the future...

    EFS is fine though. Just know it can be cracked by someone who knows what they're doing. Research Hashcat or John The Ripper and the likes. There is professional (but very expensive) software too.

    Wikipedia said:
    Once a user is logged on successfully, access to his own EFS encrypted data requires no additional authentication, decryption happens transparently. Thus, any compromise of the user's password automatically leads to access to that data. Windows can store versions of user account passphrases with reversible encryption, though this is no longer default behaviour; it can also be configured to store (and will by default on the original version of Windows XP and lower) Lan Manager hashes of the local user account passphrases, which can be attacked and broken easily. It also stores local user account passphrases as NTLM hashes, which can be fairly easily attacked using "rainbow tables" if the passwords are weak (Windows Vista and later versions don't allow weak passwords by default). To mitigate the threat of trivial brute-force attacks on local passphrases, older versions of Windows need to be configured (using the Security Settings portion of Group Policy) to never store LM hashes, and of course, to not enable Autologon (which stores plaintext passphrases in the registry). Further, using local user account passphrases over 14 characters long prevents Windows from storing an LM hash in the SAM – and has the added benefit of making brute-force attacks against the NTLM hash harder.
    Encrypting File System - Wikipedia
    Last edited by User2468; 11 Apr 2023 at 06:41.
      My Computer


  5. Posts : 8,092
    windows 10
       #5

    You have to set allow before you set deny and remember admins are members of everyone
      My Computer


  6. Posts : 16,892
    Windows 10 Home x64 Version 22H2 Build 19045.4170
       #6

    If the file is that sensitive, put it on a USB stick which you keep on your main keyring.
    And put its backup on a USB stick that's stuck to the wall behind your boiler.

    Denis
      My Computer


  7. Posts : 9,777
    Mac OS Catalina
       #7

    If your computer is stolen, the last thing the thief will be worrying about is what data is on it.
      My Computer


  8. Posts : 4,185
    Windows 11 Pro, 22H2
       #8

    You could also consider BitLocker rather than EFS.
      My Computers


  9. Posts : 9,777
    Mac OS Catalina
       #9

    hsehestedt said:
    You could also consider BitLocker rather than EFS.
    You do realize that with the right tools even bitlocker is not safe. Brute-Forcing Full Drive Encryption - Packt - SecPro
    GitHub - dev0p0/BitLockerCrack: A highly simplistic attempt to brute-force lost bitlocker password!
    dislocker | Kali Linux Tools
      My Computer


  10. Posts : 42,870
    Win 10 Pro (22H2) (2nd PC is 22H2)
       #10

    Permissions mean nothing if the drive is accessed using e.g. a live boot disk.

    They are only pertinent from a live O/S where the accounts matter.

    Secure encryption is your only option to stop people accessing your files.
      My Computers


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 16:49.
Find Us




Windows 10 Forums