[ABC home]    [ABC Archives by Issue]   [ABC Archives by Author]  [Search]  [Privacy]

 

ABC Home Page
ABC Home

 
Advertise in ABC

 

Learn more
about
Vic Ferri
Vic Ferri

Read
Vic's Archives
Vic's Archives

 

Subscribe to
Vic's
WinTips&Tricks
 WinTips&Tricks Email Support Group and Newsletter

Subscribe to
Vic's
Registry Answers
 Registry Answers Newsletter

PowerPoint to Exe
convert PowerPoint presentations to exes

Lock 'n Hide
Folder Security
Hide files and folders in Windows 9X

Free Demo

Great prices on computer magazines

Learn the Registry in plain English

 Mr. Ink Man - Great prices on ink cartridges

 

 

 

ABC ~ All 'Bout Computers
The Online Web-azine for Computer Enthusiasts
-- brought to you by
Visit Linda's Computer Stop
contents page for this issue

 


 Support ABC

 

Linda's Ebooks
 Ebooks on Access, Excel, Outlook, PowerPoint, Publisher, and Word

Linda's CD
 Order Linda's CD and learn all of the Office programs

The Newbie Club
Learn all about computers the easy way

Online classes
at Eclectic Academy
 Instructor led online courses at Eclectic Academy

My Newest Book
Excel 2003 Study Guide

published by Wiley
get it at Amazon,
at Barnes & Noble,
or at Borders

FrontLook
Add-ins
& Screen Capture
Great FrontPage addins and other software

WinBackup
SpeedUpMyPC
WinTasks5Pro
great Windows utilities

 
 

Vic's Registry RoundUp and DOS Den
~~Vic Ferri, Win Tips and Tricks

Note from Linda:  Because I teach the MS Office programs, I am surrounded by office workers full of questions.  Some questions I get a lot relate to security.  "I am going on vacation and don't want the temp who's sitting at my desk to access some of my files.  How do I prevent this?"  Or, "I have to take some sensitive data home to work on.  How can I keep my roommate from seeing it?"  Of course, I deal with a lot of non-office types also, through my website, who have a different need for security: "I have a teenager in my house who is a whiz at snooping in my computer.  How can I stop this?"  So, I went to Vic and sought out his help.  Here are his answers for all operating systems.  Thanks, Vic!

Windows File and Folder Security

(or Why I Created Lock&Hide)

For those who don't know, I recently released Lock&Hide, a simple, but effective folder security utility for Windows 95, 98 and Me. The goal in making this program was to find an easy way to highly secure data in Windows 9x. This type of security for sensitive files and folders is non existent in these Windows operating systems. Of course, you can set the hidden attribute on your important files, but that really is a very weak security level.  Anyone can just go to Folder Options and enable Show All Files.

To achieve any level of worthwhile data security, you must rely on outside programs to do the job, but most of these programs have a problem achieving high security levels in Windows 9x and the reason for that is the existence of MSDOS. These Windows systems must use the standard FAT (File Allocation Table) file systems for their hard disks. As long as there is FAT, there is DOS, and as long as there is DOS, your data's security level is compromised. It is very hard to hide anything in Windows from DOS.

I tested Magic Folders (pc-magic.com), the most popular and highly touted folder security program in the world, and was surprised to see how easy it was in DOS to access any folder secured by this program. At most it gives you a moderate level of security, which contradicts the high security claims made by the devlelopers:  "Your invisible folders and files can't be deleted, viewed, modified, or run".   Yet, in testing, it took less than a minute to fully access a folder hidden by Magic Folders. We could view, copy, move, rename and even delete the secured folder!

Other programs were tested as well, and all showed the same vulnerability.

Anyone with intent, can simply go into DOS and gain full access to your secured folder and make it fully viewable and accessible in Windows.  And it doesn't require any advanced DOS knowledge to do this, at all. In fact, it is very easy.  Let's say you have a folder in Windows named "FINANCES" that was hidden with one of these programs. One could simply use the rename command to rename your folder and then go back into Windows, and there would be your renamed folder fully accessible.  

ie:  C:\WINDOWS> REN FINANCES EXPOSED

would rename your Finances folder to Exposed and make it viewable and accessible in Windows. Not what I would call high security.

This illustrates the point how difficult it can be to hide from DOS.  To be totally secure, no one should be able to view, access or delete your protected files and folders. That last one, delete, is often overlooked in security programs that only password protect or encrypt your data, without hiding it. As long as your data is visible it can be tampered with.

Lock&Hide was developed with these points in mind and is one program that doesn't have these vulnerabilities, but it still means that you have to rely on a third party program to achieve any real security level - moderate or not - in Windows 95, 98 and Me. This is not the case in Windows 2000 and XP.

Data Security in Windows 2000 and XP

Unlike Windows 9x, Windows 2000 and Windows XP have the potential to protect your data without the need for any outside programs. I say potential because it all depends on the file system you use for your hard drives and the way you have those drives setup. If you continue to use the FAT/FAT32 file systems, then there's really no security advantage. The advantage of these operating systems is that they allow you to convert your hard drive to the NT File System (NTFS). With an NT File System you can restrict access to your data and assign specific permissions to your files and folders.

NTFS can set security down to individual files within the same folder.

There is no DOS in an NTFS drive. It is a completely different file system unique to Windows NT, 2000 and XP. Other operating systems can't see the local file systems. Another unique feature of NTFS is that there is really no limit to partition sizes.

NTFS can provide you with two basic types of security, network and local. Network security is handled by share permissions but in this article, we are talking mainly about local security.  Local securtiy is about restricting access to sensitive and personal data on your hard drive and keeping it away from prying eyes and other users of your computer. It's called Local because the security is limited to the computer holding the resources.

How to Convert Your FAT or FAT32 Disk into NTFS

There are two ways to convert your FAT disk to NTFS - during install or after install. During install, you are given the choice to convert your FAT type drive to NTFS (if it is possible). The nice thing about converting to NTFS is that it leaves your present data intact - you do not need to format your hard drive to convert, but if you have nothing of value on the drive, it's a good idea to partition and format anyway, just to get a nice, clean start.

If you decide to forgo converting to NTFS during Setup, you can always convert your drive to NTFS later by using CONVERT.EXE This is a command line utility. To use, simply go to a command prompt and type your drive letter followed by /fs:ntfs. For example, if it's Drive D: you wish to convert, you would type:

D: /fs:ntfs

And again, you won't lose any data by doing this conversion.

Realize, however, that once you convert a drive to NTFS there is no going back to FAT in the same easy way. You will need to reformat to go back.

Securing Data With NTFS

Once your drive is converted to NTFS, you can begin setting permissions on the folders you wish to protect. To do so, right-click the folder you wish to set permissions on and chose Properties. Click the Security tab, and then click Permissions. You will then see your options - you can remove any account, edit the right to a resource, or click add to allow more users or groups to access the resource.

The security level offered by NTFS is highest if NTFS is the only file system on the computer. If MS-DOS is on the system, such as in a dual boot situation between Windows 95/98 and Windows XP with NTFS, then the security level weakens drastically as it is quite easy for someone with intent, to access any of your restricted data, by booting into MS-DOS and using an easy to create NTFS access disk that makes the NTFS drive transparent and fully accessible. Unfortunately, Lock&Hide doesn't work on NTFS, lol, but if high level security is an issue with you in such a dual boot situation, you can use something like Lock&Hide to protect your most important data on the 9x machine. Not only will that data be more secure this way but anyone after your data would naturally assume that your confidential files are on the NTFS drive and not even bother looking through your FAT drive. ;-)

Microsoft was very aware of this vulnerability as you can see in this WIn 2k security article excerpt:

"You can restrict access to sensitive information that is stored on an NTFS partition if Windows 2000 is the only operating system that can be run and, if the hard drive cannot be physically removed. If someone really wants to get at the information, it is not difficult if they can gain physical access to the computer or hard drive. Availability of tools that allow access to NTFS files from MS-DOS and UNIX operating systems makes bypassing NTFS security even easier. Data encryption is the only solution to this problem."
http://www.microsoft.com/windows2000/techinfo/howitworks/
security/encrypt.asp

So now we get into data encryption.

EFS
Note: this feature is not available on the Windows XP Home version.

Windows 2000 and Windows XP Pro ship with EFS which stands for Encrypted File Security. EFS is especially good for laptops that can so easily be stolen.  EFS is the maximum "built in" security level you can attain for your data in these systems, but as you'll see the real security offered is no greater than the Windows password you choose to log on with. The reason for this is that Microsoft chose, for convenience purposes, to make EFS transparent.  With EFS you can easily encrypt your files and folders with no awareness of the process. You save and access your data as you normally would but the data becomes encrypted when you save it.   EFS works in conjunction with NTFS, so naturally, you need to have your disk formatted to NTFS to be able to use this file encryption feature.  For this method to be useful you have to set up individual user accounts with passwords, because any encrypted data is accessible and viewable by anyone on the same account. This is what is meant by transparent. This means if you walk away from your computer, anyone can access your encrypted data. This becomes very important in a business workstation where others may access your computer while you are away and in a home situation where you wish to protect certain data from prying eyes and other family members. It is essential you have a good password and log off whenever you are away from your computer. This is the primary limitation of EFS - because of the required convenience and ease of use factor that Microsoft had to provide, EFS is ultimately no more secure than the strength of your password. EFS would be useless without a password. For greater security, you would need to buy outside programs.

How To Encrypt Files and Folders

Encrypting your files and folders, is as easy as setting a file or folder attribute, but note that you cannot encrypt system files (which should go without saying!) This applies to Lock&Hide, as well.

Right-click the folder or file you wish to encrypt and choose Properties.
Then click Advanced and select Encrypt Contents.
(NOTE: If the folder is empty, choose Folder only for encryption.)

See image shots.

Windows 2000

Windows XP



Decrypting a File

The only time you would need to decrypt a file with EFS is if you wanted to give access to it to someone else. You do not need to decrypt a file to view or edit it yourself.  To actually decrypt is just a matter of right clicking the file or folder and going back to Properties>Adavnced and removing the checkmark from the Encrypt Contents.. box.

TIP
For maximum security, encrypt folders and not individual files. Doing so causes the files to be created as encrypted in the folder and theres no rendering of the file to plain text (if a file alone is encrypted, EFS first copies the file to a plain readable text file)

Things You Should Know About EFS

The encryption technology used by EFS is key-based.  To be able to encrypt a file using EFS, there must exist a public and private key but you as a user, don't have to do anything to get them. These keys are generated automatically the first time you use EFS.  The public key encrypts the files and the private key decrypts the files.
This is great in that it makes it so easy to use for the newbie - no knowledge about encryption is needed at all. In fact, many users use EFS without even knowing about the existance of these keys.  But, that can also lead to problems!  Say you decide to re-format your c: drive and re-install Windows XP while having encrypted data on your d: drive. This would just result in disaster after you realize you can no longer access any of your secured files!
That would be the result of not knowing that reinstalling Windows creates new security identifiers for each user. Your original keys are replaced with new ones making your encrypted data unaccessible and the only way to gain access is by using the Recovery Agent which only the Administrator has.  If you're the Adminstrator on your own computer, EFS automatically generates recovery keys and self-signed certificates for you when logging on, making you, as the local administrator, the default recovery agent. But you have to KNOW all this to be able to recover. This ain't the simplicity of Lock&Hide. LOL

To prevent such disasters, make sure to back up your personal encryption certificate (your private key) and the recovery agent certificate to a floppy disk and keep it in a safe place.  It's easy to do but strangely, it's not mentioned at all during the encryption process.

Here's the official how to:

Backing Up Recovery Keys

1. Click Start>Run, type mmc, and then click OK.

2. On the File menu, click Add/Remove Snap-in, and then click Add.

3. Under Add Standalone Snap-in, click Certificates, and then click Add.

4. Click My user account, and then click Finish.

5. Click Close, and then click OK.

6. Double-click Certificates - Current User, double-click Personal, and then double-click Certificates.

7. Click the certificate that displays the words File Recovery in the Intended Purposes column.

8. Right-click the certificate, point to All Tasks, and then click Export.  Follow the instructions in the Certificate Export Wizard to export the certificate and associated private key to a .pfx file format.   Make sure you export your private keys with them, you will be asked to password protect your keys (to verify when importing later on). Save this to a secure floppy disk

Now when you format or if your keys get damaged all you have to do is double click on the exported key, follow the wizard and you should have access to your files.

Vic Ferri owns the very popular WinTips and Tricks and Registry Answers. Subscribe to either and receive free Windows and Registry Tips. He is also in charge of the Printing Tips pages at Linda's Computer Stop. Vic has also created a program which allows you to Lock & Hide desktop folders in Windows 9X/ME. Read more and get the free demo here. And, he now offers a service to convert PowerPoint presentations to .exe files which can be viewed on computers which do not have PowerPoint installed.
 

Privacy Policy, Disclaimer, and Legal Stuff

Pay Per Click Ads by Pay Per Click Advertising by Kontera

This page was last updated on Tuesday, September 23, 2008 . copyright © 2000 - 2008, Linda F. Johnson, Linda's Computer Stop, ABC ~ All 'Bout Computers. All rights reserved.