To Password Protect a network folder or not
-
@scottalanmiller said in To Password Protect a network folder or not:
@DustinB3403 said in To Password Protect a network folder or not:
I know windows supports encrypting files, but this seems extremely painful, especially for a network based folder.
And it defeats the purpose of your NTFS security. What does the extra password accomplish?
That was my mindset as well, why should we encrypt it when we could use simple share and security policies to control access to the content.
-
@DustinB3403 said in To Password Protect a network folder or not:
@scottalanmiller said in To Password Protect a network folder or not:
@DustinB3403 said in To Password Protect a network folder or not:
I know windows supports encrypting files, but this seems extremely painful, especially for a network based folder.
And it defeats the purpose of your NTFS security. What does the extra password accomplish?
That was my mindset as well, why should we encrypt it when we could use simple share and security policies to control access to the content.
Having the person requesting this state the benefit might be important. Ask them "Given that the resource is already controlled by a password and restricted to the user level for access and further limited on the network and that passwords should never be shared, ever, what is the GOAL, what is the "intended benefit" that someone perceives from this action?"
-
I actually asked where did you get this idea to password protect a folder. The times that i encounter this its always from non-technical end users who are used to password protecting office documents.
-
@scottalanmiller said in To Password Protect a network folder or not:
Having a second password for a file or folder will not actually increase security,
I agree on folders. Not sure on files. Using NTFS only, is it possible to set permissions to allow access to only a specific user and no-one else? Ie can you restrict the domain admin or the file server's local admin account from access? And if you could, could you still back the file up? I wouldn't want a file on my file server that I, as domain admin, was restricted to. I'm not sure it would work?
Some users will password protect Office files from within Office and I don't have a particular problem with that. I can still access the file to back it up, restore it and change NTFS permissions, but I can't open the file in Office. That suits me. I wouldn't encourage it, as if the user leaves or forgets the password, I can't help. It adds more risk to the company than it solves.
-
@Carnival-Boy said in To Password Protect a network folder or not:
@scottalanmiller said in To Password Protect a network folder or not:
Having a second password for a file or folder will not actually increase security,
I agree on folders. Not sure on files. Using NTFS only, is it possible to set permissions to allow access to only a specific user and no-one else? Ie can you restrict the domain admin or the file server's local admin account from access? And if you could, could you still back the file up? I wouldn't want a file on my file server that I, as domain admin, was restricted to. I'm not sure it would work?
Some users will password protect Office files from within Office and I don't have a particular problem with that. I can still access the file to back it up, restore it and change NTFS permissions, but I can't open the file in Office. That suits me. I wouldn't encourage it, as if the user leaves or forgets the password, I can't help. It adds more risk to the company than it solves.
You can easily have a set of files your domain admin or file server admins don't have access to but your backup service account does, assuming you are doing file level backups,
-
@Carnival-Boy said in To Password Protect a network folder or not:
I agree on folders. Not sure on files. Using NTFS only, is it possible to set permissions to allow access to only a specific user and no-one else?
Yes, of course. You can set any permission granularity on any file. Per user, per group, read, write, modify. NTFS ACLs always provide this.
-
@Carnival-Boy said in To Password Protect a network folder or not:
Ie can you restrict the domain admin or the file server's local admin account from access?
No, that you cannot do. The domain admin always has access. It is true that encrypting a file could keep the admin from accessing a file, but that also means a fundamental failing of the overall system. The admin can always access that file in another way if that file gets accessed, and you have to trust your admins or you are already compromised. So while that's technically a reason, I don't see it as a valid one. Your admin can just grab a copy of that file if they want when it is accessed defeating the purpose. Plus the shared password system is totally non-secure. So not really useful in securing anything either, if it comes to actually trying to secure it.
-
@Carnival-Boy said in To Password Protect a network folder or not:
And if you could, could you still back the file up? I wouldn't want a file on my file server that I, as domain admin, was restricted to.
Yes, that works fine, because in no way are you (as the admin) restricted from accessing the file. You can copy it, back it up, move it, etc. just like any other file. Remember that "encrypted" isn't something special here, think of it like a Word Doc being accessed by a computer that does not have Word installed. An encrypted file is just a file for which you do not have the application that opens it, nothing more. A computer copying or backing up any file will not know what is in that file, it just copies the whole thing.
-
@Carnival-Boy said in To Password Protect a network folder or not:
Some users will password protect Office files from within Office and I don't have a particular problem with that. I can still access the file to back it up, restore it and change NTFS permissions, but I can't open the file in Office. That suits me. I wouldn't encourage it, as if the user leaves or forgets the password, I can't help. It adds more risk to the company than it solves.
That is exactly what they are looking to do here. Maybe not Office files, but exact same concept.
-
@coliver said in To Password Protect a network folder or not:
You can easily have a set of files your domain admin or file server admins don't have access to but your backup service account does, assuming you are doing file level backups,
Actually you can't. You can have a second admin who only has access to them, but some human admin, at the end of the day, always has access.
-
@scottalanmiller said in To Password Protect a network folder or not:
@coliver said in To Password Protect a network folder or not:
You can easily have a set of files your domain admin or file server admins don't have access to but your backup service account does, assuming you are doing file level backups,
Actually you can't. You can have a second admin who only has access to them, but some human admin, at the end of the day, always has access.
You can gain access, true.
-
tl;dr there is no reason to do this
-
@scottalanmiller said in To Password Protect a network folder or not:
@Carnival-Boy said in To Password Protect a network folder or not:
Ie can you restrict the domain admin or the file server's local admin account from access?
No, that you cannot do. The domain admin always has access.
That's what I meant by "is it possible to set permissions to allow access to only a specific user and no-one else?". It isn't possible. So if the company wants to protect the contents of a file from the Domain Admin then NTFS can't do this and they will need an alternative.
I disagree with you when you say that a shared password system is total non-secure. Why does it have to be?
To use the example of MS Office's password protection, that is far more secure than NTFS is (or was), I believe? Since NTFS is easy (or always was, I'm not sure if it is improved) to break if you gain physical access to the file server where anyone can gain local admin rights (for example). Correct me if I'm wrong!
-
@Carnival-Boy said in To Password Protect a network folder or not:
I disagree with you when you say that a shared password system is total non-secure. Why does it have to be?
Because you can't tell who has access, when access has changed, no one is accountable for it. All key things to security.
-
@Carnival-Boy said in To Password Protect a network folder or not:
To use the example of MS Office's password protection, that is far more secure than NTFS is (or was), I believe? Since NTFS is easy (or always was, I'm not sure if it is improved) to break if you gain physical access to the file server where anyone can gain local admin rights (for example). Correct me if I'm wrong!
That particular case is awful. I've seen other apps open "encrypted" MS Office files accidentally. It used to be, at least, that LibreOffice users wouldn't even get prompted for the password and would get access to the entire document without even knowing that it was meant to have been secured!
-
@Carnival-Boy said in To Password Protect a network folder or not:
To use the example of MS Office's password protection, that is far more secure than NTFS is (or was), I believe? Since NTFS is easy (or always was, I'm not sure if it is improved) to break if you gain physical access to the file server where anyone can gain local admin rights (for example). Correct me if I'm wrong!
Different goals.... encryption is to protect against a breach of physical access. NTFS/SMB protect against network access. Two totally different goals. Encryption is not very useful unless there is a physical breach because the encryption is disabled during use.
-
Or to put it another way....
NTFS security vanishes when physical access is breached.
Encryption security vanishes when normal systems are in operation.
Which is why I said that you could definitely encrypt the entire drive for physical security considerations, that can make sense (once in a great while) but encrypting individual files is generally quite silly.
-
@scottalanmiller said in To Password Protect a network folder or not:
@Carnival-Boy said in To Password Protect a network folder or not:
To use the example of MS Office's password protection, that is far more secure than NTFS is (or was), I believe? Since NTFS is easy (or always was, I'm not sure if it is improved) to break if you gain physical access to the file server where anyone can gain local admin rights (for example). Correct me if I'm wrong!
That particular case is awful. I've seen other apps open "encrypted" MS Office files accidentally. It used to be, at least, that LibreOffice users wouldn't even get prompted for the password and would get access to the entire document without even knowing that it was meant to have been secured!
I doubt it. Maybe 10+ years ago, but not now.
@Breffni-Potter tried to break one of my AES encrypted 7Zip files last year (and failed). Do you want to try a new challenge and crack one of my password protected Word files? I bet you can't.
I'm not saying password protection should be an alterntive to NTFS. I agree that would be silly. But as an additional layer of security it is valid.
-
@Carnival-Boy said in To Password Protect a network folder or not:
@Breffni-Potter tried to break one of my AES encrypted 7Zip files last year (and failed). Do you want to try a new challenge and crack one of my password protected Word files? I bet you can't.
He never bothered. I remember checking in and he never even looked into it.
-
@Carnival-Boy said in To Password Protect a network folder or not:
I'm not saying password protection should be an alterntive to NTFS. I agree that would be silly. But as an additional layer of security it is valid.
Only against physical theft, though. If we are talking about a situation at the office, you would not brute force the password, you would instead bypass it. The file is only secure as long as it is not accessed.