2

TL/DR: how to use NTFS permissions to prevent all users on other PCs from accessing a particular folder on an NTFS USB key?

BACKGROUND

I have an NTFS formatted USB key. The top level contains a single folder named "MAIN". There's an arbitrary hierarchy of many more files and folders in and below MAIN.

All these files and folders are created by a single non-admin user "FRED", on a single PC "MYPC". So MAIN, and everything in and below it, is owned by non-admin user FRED on MYPC.

There's nothing special about FRED, or MYPC. MYPC is a default Windows 7 Starter Edition netbook. FRED is a normal non-admin user on that netbook.

REQUIREMENT

I want to make the minimum number of ACL changes possible, to MAIN, and preferably only to MAIN, to achieve two things:

(1) Prevent all users on other PCs from accessing MAIN at all. By "access" I mean, even just view the content thereof. So on MYPC, FRED and admins can access MAIN as normal, but on other PCs, no-one at all can access MAIN at all.

(2) Say FRED, on MYPC, copies something from within MAIN, to (say) MYPC's desktop, and then to a different USB key or PC. I'd like the copied thing to not be restricted as described above. That is, users on other PCs can access the copied thing, or not, in the same way which would have occurred if (1) had never been done in the first place.

None of these folders and files are encrypted - nor do I want them to be. So I do understand that someone could just mount the key on a non Windows system, and read-off all the raw data. That's not part of my threat model.

TIA for any suggestions!

Puzzled
  • 21
  • 2

2 Answers2

4

Simply put: you cannot do that. NTFS permissions are set per user. They also are dependent on the scope: any user who is local admin can take ownership of local resources and change permissions as he wants.

Your only option is to rely on encryption. I suggest you have a look at Bitlocker to go: it is very easy to setup and very convenient to use: you can configure your machine to auto-mount the device (storing the key with your lock trusted store) and set it up with a strong password (which you will store in your password manager).

Stephane
  • 18,557
  • 3
  • 61
  • 70
  • Are you saying that _any_ local admin on _any_ PC can take ownership of _any_ object regardless of that object's owner? - even if that object's owner SID _does not exist_ on that admin's PC? – Puzzled Oct 05 '15 at 08:03
  • 1
    Yes. Basically, if the system owns the resource (in this specific case: if the device is mounted locally, not through a file server or any other network redirector), the system can change the object DACL and therefore override whatever you configure. – Stephane Oct 05 '15 at 08:25
2

TL;DR: Lots of ways around ACLs, must use encryption, EFS may be better than BL here.

As @Stephane says, this is impossible.

Any Admin, or any other user with NT's SeTakeOwnershipPrivilege, can overwrite an object's ownership, and the owner can always overwrite the ACLs. Additionally, any Admin, member of the Backup Operators built-in group, or other user with SeBackupPrivilege can simply ignore the ACL for read operations (a corresponding privilege SeRestorePrivilege, also available to the same groups, allows ignoring ACLs for write, including writing owner and ACL).

Additionally, the file system ACLs aren't actually enforced by the file system in any way. They are enforced by the file system driver, but that can be bypassed, or the driver might ignore the ACLs. For example, the ntfs-3g driver used on Unix-like systems ignores ACLs; if somebody plugged your flashdrive into a Linux box ey would get full access. Similarly, the bits on the storage themselves are going to be sitting there in plain text; anybody with privileges for raw read access of the drive could pull off any file ey want, or change the ACLs themselves if ey has write access to the raw device.

As an alternative to BitLocker [To Go], I'd suggest using Encrypting File System. More Windows versions support it than support BitLocker (specifically, the Pro/Business editions of Windows 2000, XP, Vista, and Win7 support EFS but not the creation of BL volumes), although Starter doesn't support either. You wouldn't need to enter any passwords or anything; the data is transparently decrypted/encrypted if you're the correct user, and is meaningless if you aren't. The rest of the drive would still be usable. If somebody stole the drive, they might be able to guess or brute-force the BL password but would never be able to get the EFS key (it's randomly generated and stored in your computer, and while the key is protected with your password the password itself is useless without the encrypted key as well). The main downside of using EFS instead of BL is that an attacker could delete or overwrite the directory contents (without knowing what the original contents were), but an attacker could also just format the drive to remove BitLocker.

To enable encryption on the folder is really quite easy, though. Open the drive in Explorer (on a Windows version that supports EFS), right-click the folder and select Properties, click Advanced, click Encrypt contents to secure data, and then click OK. Apply the change to all contents of the directory, and you're set!

CBHacking
  • 40,303
  • 3
  • 74
  • 98