To Password Protect a network folder or not
-
@tiagom said in To Password Protect a network folder or not:
For some reason users love to try and put passwords on everything.. If only they could remember them...
Yes, this is a big issue.
-
@DustinB3403 said in To Password Protect a network folder or not:
My recommendation is to make a share out of the folder (or sub-folder), and control it with standard security permissions.
Is there any better solution you guys have seen?
As it is, shares have NTFS (at least if using Windows) and SMB security. That's two whole levels, one that always applies and then extra lock down when shared. You can encrypt below that level if you need encryption, this integrates the encryption into the existing security.
Having a second password for a file or folder will not actually increase security, just make people start looking to work around the system by making file copies or whatever. It doesn't increase security technically in any real way, but it does increase overhead which is the same as social engineering your staff to be less secure (like forcing pointless password requirements that causes them to write passwords down.)
-
@tiagom said in To Password Protect a network folder or not:
I had this come up previously. I secured it with standard folder permissions. The user logging into their computer is the "password protection".
Yup, this is important. Refer to it as the "second, useless password." Anytime it comes up, state that it is already password protected and if it needs to be encrypted, that's fine, but encryption is always a protection against physical theft, never against the users who will be turning it off every time they access the file.
-
@scottalanmiller said in To Password Protect a network folder or not:
@DustinB3403 said in To Password Protect a network folder or not:
I know windows supports encrypting files, but this seems extremely painful, especially for a network based folder.
And it defeats the purpose of your NTFS security. What does the extra password accomplish?
That was my mindset as well, why should we encrypt it when we could use simple share and security policies to control access to the content.
-
@DustinB3403 said in To Password Protect a network folder or not:
@scottalanmiller said in To Password Protect a network folder or not:
@DustinB3403 said in To Password Protect a network folder or not:
I know windows supports encrypting files, but this seems extremely painful, especially for a network based folder.
And it defeats the purpose of your NTFS security. What does the extra password accomplish?
That was my mindset as well, why should we encrypt it when we could use simple share and security policies to control access to the content.
Having the person requesting this state the benefit might be important. Ask them "Given that the resource is already controlled by a password and restricted to the user level for access and further limited on the network and that passwords should never be shared, ever, what is the GOAL, what is the "intended benefit" that someone perceives from this action?"
-
I actually asked where did you get this idea to password protect a folder. The times that i encounter this its always from non-technical end users who are used to password protecting office documents.
-
@scottalanmiller said in To Password Protect a network folder or not:
Having a second password for a file or folder will not actually increase security,
I agree on folders. Not sure on files. Using NTFS only, is it possible to set permissions to allow access to only a specific user and no-one else? Ie can you restrict the domain admin or the file server's local admin account from access? And if you could, could you still back the file up? I wouldn't want a file on my file server that I, as domain admin, was restricted to. I'm not sure it would work?
Some users will password protect Office files from within Office and I don't have a particular problem with that. I can still access the file to back it up, restore it and change NTFS permissions, but I can't open the file in Office. That suits me. I wouldn't encourage it, as if the user leaves or forgets the password, I can't help. It adds more risk to the company than it solves.
-
@Carnival-Boy said in To Password Protect a network folder or not:
@scottalanmiller said in To Password Protect a network folder or not:
Having a second password for a file or folder will not actually increase security,
I agree on folders. Not sure on files. Using NTFS only, is it possible to set permissions to allow access to only a specific user and no-one else? Ie can you restrict the domain admin or the file server's local admin account from access? And if you could, could you still back the file up? I wouldn't want a file on my file server that I, as domain admin, was restricted to. I'm not sure it would work?
Some users will password protect Office files from within Office and I don't have a particular problem with that. I can still access the file to back it up, restore it and change NTFS permissions, but I can't open the file in Office. That suits me. I wouldn't encourage it, as if the user leaves or forgets the password, I can't help. It adds more risk to the company than it solves.
You can easily have a set of files your domain admin or file server admins don't have access to but your backup service account does, assuming you are doing file level backups,
-
@Carnival-Boy said in To Password Protect a network folder or not:
I agree on folders. Not sure on files. Using NTFS only, is it possible to set permissions to allow access to only a specific user and no-one else?
Yes, of course. You can set any permission granularity on any file. Per user, per group, read, write, modify. NTFS ACLs always provide this.
-
@Carnival-Boy said in To Password Protect a network folder or not:
Ie can you restrict the domain admin or the file server's local admin account from access?
No, that you cannot do. The domain admin always has access. It is true that encrypting a file could keep the admin from accessing a file, but that also means a fundamental failing of the overall system. The admin can always access that file in another way if that file gets accessed, and you have to trust your admins or you are already compromised. So while that's technically a reason, I don't see it as a valid one. Your admin can just grab a copy of that file if they want when it is accessed defeating the purpose. Plus the shared password system is totally non-secure. So not really useful in securing anything either, if it comes to actually trying to secure it.
-
@Carnival-Boy said in To Password Protect a network folder or not:
And if you could, could you still back the file up? I wouldn't want a file on my file server that I, as domain admin, was restricted to.
Yes, that works fine, because in no way are you (as the admin) restricted from accessing the file. You can copy it, back it up, move it, etc. just like any other file. Remember that "encrypted" isn't something special here, think of it like a Word Doc being accessed by a computer that does not have Word installed. An encrypted file is just a file for which you do not have the application that opens it, nothing more. A computer copying or backing up any file will not know what is in that file, it just copies the whole thing.
-
@Carnival-Boy said in To Password Protect a network folder or not:
Some users will password protect Office files from within Office and I don't have a particular problem with that. I can still access the file to back it up, restore it and change NTFS permissions, but I can't open the file in Office. That suits me. I wouldn't encourage it, as if the user leaves or forgets the password, I can't help. It adds more risk to the company than it solves.
That is exactly what they are looking to do here. Maybe not Office files, but exact same concept.
-
@coliver said in To Password Protect a network folder or not:
You can easily have a set of files your domain admin or file server admins don't have access to but your backup service account does, assuming you are doing file level backups,
Actually you can't. You can have a second admin who only has access to them, but some human admin, at the end of the day, always has access.
-
@scottalanmiller said in To Password Protect a network folder or not:
@coliver said in To Password Protect a network folder or not:
You can easily have a set of files your domain admin or file server admins don't have access to but your backup service account does, assuming you are doing file level backups,
Actually you can't. You can have a second admin who only has access to them, but some human admin, at the end of the day, always has access.
You can gain access, true.
-
tl;dr there is no reason to do this
-
@scottalanmiller said in To Password Protect a network folder or not:
@Carnival-Boy said in To Password Protect a network folder or not:
Ie can you restrict the domain admin or the file server's local admin account from access?
No, that you cannot do. The domain admin always has access.
That's what I meant by "is it possible to set permissions to allow access to only a specific user and no-one else?". It isn't possible. So if the company wants to protect the contents of a file from the Domain Admin then NTFS can't do this and they will need an alternative.
I disagree with you when you say that a shared password system is total non-secure. Why does it have to be?
To use the example of MS Office's password protection, that is far more secure than NTFS is (or was), I believe? Since NTFS is easy (or always was, I'm not sure if it is improved) to break if you gain physical access to the file server where anyone can gain local admin rights (for example). Correct me if I'm wrong!
-
@Carnival-Boy said in To Password Protect a network folder or not:
I disagree with you when you say that a shared password system is total non-secure. Why does it have to be?
Because you can't tell who has access, when access has changed, no one is accountable for it. All key things to security.
-
@Carnival-Boy said in To Password Protect a network folder or not:
To use the example of MS Office's password protection, that is far more secure than NTFS is (or was), I believe? Since NTFS is easy (or always was, I'm not sure if it is improved) to break if you gain physical access to the file server where anyone can gain local admin rights (for example). Correct me if I'm wrong!
That particular case is awful. I've seen other apps open "encrypted" MS Office files accidentally. It used to be, at least, that LibreOffice users wouldn't even get prompted for the password and would get access to the entire document without even knowing that it was meant to have been secured!
-
@Carnival-Boy said in To Password Protect a network folder or not:
To use the example of MS Office's password protection, that is far more secure than NTFS is (or was), I believe? Since NTFS is easy (or always was, I'm not sure if it is improved) to break if you gain physical access to the file server where anyone can gain local admin rights (for example). Correct me if I'm wrong!
Different goals.... encryption is to protect against a breach of physical access. NTFS/SMB protect against network access. Two totally different goals. Encryption is not very useful unless there is a physical breach because the encryption is disabled during use.
-
Or to put it another way....
NTFS security vanishes when physical access is breached.
Encryption security vanishes when normal systems are in operation.
Which is why I said that you could definitely encrypt the entire drive for physical security considerations, that can make sense (once in a great while) but encrypting individual files is generally quite silly.