To Password Protect a network folder or not
-
@scottalanmiller said in To Password Protect a network folder or not:
@coliver said in To Password Protect a network folder or not:
You can easily have a set of files your domain admin or file server admins don't have access to but your backup service account does, assuming you are doing file level backups,
Actually you can't. You can have a second admin who only has access to them, but some human admin, at the end of the day, always has access.
You can gain access, true.
-
tl;dr there is no reason to do this
-
@scottalanmiller said in To Password Protect a network folder or not:
@Carnival-Boy said in To Password Protect a network folder or not:
Ie can you restrict the domain admin or the file server's local admin account from access?
No, that you cannot do. The domain admin always has access.
That's what I meant by "is it possible to set permissions to allow access to only a specific user and no-one else?". It isn't possible. So if the company wants to protect the contents of a file from the Domain Admin then NTFS can't do this and they will need an alternative.
I disagree with you when you say that a shared password system is total non-secure. Why does it have to be?
To use the example of MS Office's password protection, that is far more secure than NTFS is (or was), I believe? Since NTFS is easy (or always was, I'm not sure if it is improved) to break if you gain physical access to the file server where anyone can gain local admin rights (for example). Correct me if I'm wrong!
-
@Carnival-Boy said in To Password Protect a network folder or not:
I disagree with you when you say that a shared password system is total non-secure. Why does it have to be?
Because you can't tell who has access, when access has changed, no one is accountable for it. All key things to security.
-
@Carnival-Boy said in To Password Protect a network folder or not:
To use the example of MS Office's password protection, that is far more secure than NTFS is (or was), I believe? Since NTFS is easy (or always was, I'm not sure if it is improved) to break if you gain physical access to the file server where anyone can gain local admin rights (for example). Correct me if I'm wrong!
That particular case is awful. I've seen other apps open "encrypted" MS Office files accidentally. It used to be, at least, that LibreOffice users wouldn't even get prompted for the password and would get access to the entire document without even knowing that it was meant to have been secured!
-
@Carnival-Boy said in To Password Protect a network folder or not:
To use the example of MS Office's password protection, that is far more secure than NTFS is (or was), I believe? Since NTFS is easy (or always was, I'm not sure if it is improved) to break if you gain physical access to the file server where anyone can gain local admin rights (for example). Correct me if I'm wrong!
Different goals.... encryption is to protect against a breach of physical access. NTFS/SMB protect against network access. Two totally different goals. Encryption is not very useful unless there is a physical breach because the encryption is disabled during use.
-
Or to put it another way....
NTFS security vanishes when physical access is breached.
Encryption security vanishes when normal systems are in operation.
Which is why I said that you could definitely encrypt the entire drive for physical security considerations, that can make sense (once in a great while) but encrypting individual files is generally quite silly.
-
@scottalanmiller said in To Password Protect a network folder or not:
@Carnival-Boy said in To Password Protect a network folder or not:
To use the example of MS Office's password protection, that is far more secure than NTFS is (or was), I believe? Since NTFS is easy (or always was, I'm not sure if it is improved) to break if you gain physical access to the file server where anyone can gain local admin rights (for example). Correct me if I'm wrong!
That particular case is awful. I've seen other apps open "encrypted" MS Office files accidentally. It used to be, at least, that LibreOffice users wouldn't even get prompted for the password and would get access to the entire document without even knowing that it was meant to have been secured!
I doubt it. Maybe 10+ years ago, but not now.
@Breffni-Potter tried to break one of my AES encrypted 7Zip files last year (and failed). Do you want to try a new challenge and crack one of my password protected Word files? I bet you can't.
I'm not saying password protection should be an alterntive to NTFS. I agree that would be silly. But as an additional layer of security it is valid.
-
@Carnival-Boy said in To Password Protect a network folder or not:
@Breffni-Potter tried to break one of my AES encrypted 7Zip files last year (and failed). Do you want to try a new challenge and crack one of my password protected Word files? I bet you can't.
He never bothered. I remember checking in and he never even looked into it.
-
@Carnival-Boy said in To Password Protect a network folder or not:
I'm not saying password protection should be an alterntive to NTFS. I agree that would be silly. But as an additional layer of security it is valid.
Only against physical theft, though. If we are talking about a situation at the office, you would not brute force the password, you would instead bypass it. The file is only secure as long as it is not accessed.
-
@Carnival-Boy said
@Breffni-Potter tried to break one of my AES encrypted 7Zip files last year (and failed). Do you want to try a new challenge and crack one of my password protected Word files? I bet you can't.
I actually succeeded on the first try remember?
My lab was in pieces and I never got around to doing it.
-
It's not too late to try
-
@Carnival-Boy said in To Password Protect a network folder or not:
It's not too late to try
True.
I do know of 1 very sneaky trick though to instantly get the data.
7ZIP stores a copy of the unencrypted file in the Windows temp directory.
-
Hi,
This may be off-topic, I don't see many people talk of AD RMS, with or without Gigaworks / Secureislands etc..
-
@Breffni-Potter said in To Password Protect a network folder or not:
@Carnival-Boy said in To Password Protect a network folder or not:
It's not too late to try
True.
I do know of 1 very sneaky trick though to instantly get the data.
7ZIP stores a copy of the unencrypted file in the Windows temp directory.
Nice try. But 7Zip stores a copy in MY Windows temp directory, not yours. How do you propose getting access to my temp directory?
-
@Carnival-Boy said
Nice try. But 7Zip stores a copy in MY Windows temp directory, not yours. How do you propose getting access to my temp directory?
Yes that's what I meant. But it would also store it in the temp directory of any machine which decrypts with 7zip. As for how I get access to the temp directory, how determined am I to get your data? If the data was that important, why not just steal the desktop?
Bitlocker can be completely cracked apart in a minute if the following conditions are met.
Hibernation is enabled
The machine is in sleep/not turned off.Then all that needs to happen is the laptop (most likely) to be stolen, which is typically left on sleep mode and then the bitlocker protection is null and void.
Electronic attack is not the only threat and most of the data breaches in the media have been due to lost USBs, lost laptops and so on.
-
Is that your long-winded way of admitting defeat in my challenge
-
Although if I come in to work tomorrow and find my laptop has been stolen and there's a note on my desk that says "I win, love from Breffni", you'll have taken the challenge too far.
-
@Carnival-Boy said in To Password Protect a network folder or not:
Although if I come in to work tomorrow and find my laptop has been stolen and there's a note on my desk that says "I win, love from Breffni", you'll have taken the challenge too far.
All is fair in love, war and hacking contests.
-
@Carnival-Boy said in To Password Protect a network folder or not:
Is that your long-winded way of admitting defeat in my challenge
As a good politician says, we will not accept defeat but we are considering all of our options in this matter.
One of them involves @scottalanmiller doing me a favour....so please hold.