Hide and secure certain folders/partitions in Windows 10

1

I have a simple goal, create a local account and limit its rights:

  1. Hide and secure certain folders/partitions.
  2. Limit access to certain apps.

This is what I've done so far:

  1. Created a new user - let's call it User A
  2. Created a new user group - Limited Users

Now, in order to secure a partition, I tried to edit it's security settings and set Full Control to Deny for the Limited Users group. This works fine, yet I still have the partition displayed in User A's This PC and User A can still format the drive.

I've seen a few options that limit the access such as using the gpedit but that seems to limit it to all accounts which I do not want.

My question is, how do I hide and also secure folders and partitions?

user1640736

Posted 2017-10-26T21:22:49.483

Reputation: 123

"This works fine, yet I still have the partition displayed in User A's This PC and User A can still format the drive." - A group policy handles which drives will be displayed in File Explorer. You can set the policy in question to only affect certain users groups. – Ramhound – 2017-10-26T21:27:48.330

@Ramhound I just saw a question which explains how to open that for a certain user instead globally, this should do it even tho it's a pain in the ***. – user1640736 – 2017-10-26T21:48:16.027

Answers

1

I can answer the part of your question dealing with securing your filesystem.

If you wish to limit or completely disallow a user's access to a volume other than the system volume, you need to:

  1. Ensure the user is not a member of the local Administrators group
  2. Remove the default permissions assigned at the root of the volume to the Everyone and Authenticated Users group

The volume will still be visible in My Computer, but the user will get an Access denied message if they attempt to open it and certainly won't have sufficient permissions to format it unless the disk is considered removable media.

For the other users that do need access to the volume, you'll want to create an appropriate group such as Data Volume Users, make them members of it, and assign it at least NTFS Read permissions to the root of the volume. Otherwise only Administrators will have access to the volume and they'll continually be hounded by UAC prompts.

For the system volume, you have to allow the user at least Read permissions. By default, non-admin users can Read the root and create folders in it, and will have full control of any folders they create. The simplest way to deal with this without breaking Windows is to deny your limited user the NTFS Create Folder / Append Data right on the root directory and specify that the permission applies to This folder only. That will defeat their ability to create anything at all in the root without prohibiting them from doing so in other folders they need access to, such as their user profile.

I say Reinstate Monica

Posted 2017-10-26T21:22:49.483

Reputation: 21 477

Asked: 2017-10-26T21:22:49.483

Viewed: 107 times

Active: 2017-10-27T21:06:48.437