Need to improve partition/drive security

[Philjarrah]

Using XP service pack 3.
Single HDD currently split into the normal C & D drives.
Shared computer between 3 people one is the administrator.
Is the following possible and if so how?
Would like to create a 3rd partition/drive in which to store personal data and programs.
Can access to this whole new partition and the data within be password protected as opposed to each individual entry.
The data must not be accessible by the administrator.
Appreciate any explanation in simple terms.
Many thanks.

[Tinto Tech]

True Crypt can encrypt the partition for you. Only the person knowing the Truecrypt password will be able to mount the volume and access its contents.

However, installing programs into a non-system volume may be problematic. There will be many inter-dependencies between the registry in the %system_root% and installed programs. Things may break if you attempt to encrypt a non-system partition to contain installed programs.

Moreover, if it's not a silly question, why try to hide data and programs from the computer administrator? By definition, the administrator must have full access to the machine. Without full access the administrator cannot administer the machine. For example, what happens if the administrator needs to recover lost data, or eradicate a malware infection?

If your need is solely to secure private data (which is a very valid thing to do), Truecrypt can help, but in general it is better to not store sensitive data on a machine for which you do not have admin control - or at least contractual control over the administrator.

If your desire is to circumvent layers of security that the administrator has put in place....well that's an entirely different type of request, which I can't help with.

[DrWho]

Storing sensitive data files on a hard drive is inadvisable at best.
Put them on a flash drive and take it with you. That beats all the HD security you can invent.
Also, HD Security does nothing for you in the event of a hard drive Crash. Eh?

Just a thought!

The Doctor

[Paul T]

+1 for TrueCrypt.
TrueCrypt will create a new drive for you - it's actually an encrypted file on your hard disk. Each user can have their own drive which can be backed up by the administrator but remains accessible only if you know the password.

cheers, Paul

[Philjarrah]

Thanks Folks.
Nothing really sensitive, it's a family computer. It does not have to be encrypted.
I just don't want anyone to be able to delete any of the information that I have hoarded.
This would apply especially to the administrator (my brother), who believes in getting rid of anything that he does not consider useful. Basically wish to protect the info from deletion etc.

[Paul T]

Can't do much to defeat an overzealous administrator, but you can make his life difficult by changing the permissions on your folder.
1. Right click on the folder and select Properties.
2. Select Security and give yourself Full rights.
3. Remove any other rights and click OK. You may need to go to Advanced and stop inheritance first. If so copy the permissions when asked.

Now the administrator can't even see your files, let alone delete them, but he can reset the permissions. Backup may be an issue depending on who (if anyone) does it.

cheers, Paul

[Tinto Tech]

The encryption we discussed earlier will do the job (it encrypts an entire volume, so nothing can be accessed, changed or removed without your permission), but in this scenario what may follow is a very upset brother who prevents you from accessing the machine in the first place. It will not work for programs that you wish to keep on the machine, but your brother does not.

In that case, you have only two real options:

• Speak to your brother and get his agreement not to remove your data.
• Remove your data from the machine onto a flash drive or portable hard disk (as per Dr Who's advice). Take a look at portable apps if you wanted to go down that route.

[bobprimak]

A good compromise between encryption and full administrator access in Windows XP SP3 (Pro or Home) is to go to the main user Folder (the one with the user's name on it) in Windows Explorer. Highlight and right-click. Click on Properties. There's a tab for Sharing. Check off the checkbox for Make This Folder Private. You may also need to check off Apply to All Sub-folders. Click Apply. Wait while the new security property is applied. Then check with the Administrator Account. The user's Main Folder should be visible in Windows Explorer, but with no Plus Sign. Clicking or double-clicking on the Folder even by a super-administrator will pop up the Access Denied error message. Problem solved, until it comes time to scan for malware. For that operation, it's best to relinquish user folder privacy, I think. But only while the scans are running. Maybe also when Image Backups are being made. But no other times.

For the Partition, it may be possible to do the same for the entire Drive Letter. I've never tried this, but it may work.

Using separate partitions solely for the purpose of making some users or some data private may not be necessary. But the OP does seem to want to separate data for other reasons. So, encrypting this partition may also be an option in this very specific case. My advice does not require a separate partition to be applied.

Again, any encryption may cause issues with virus scanning or creating and restoring backups. Check with your security and backup programs to make sure they can handle encrypted volumes and partitions.

[lelandhamilton]

Get your brother to agree that if you purchase a flash drive, external portable drive, or an internal drive to add to the system you can keep anything that you want on it, subject to virus and malware scans. [I presume your stuff is "legal", rather than porn...] Your total outlay will lie between $5 and ~$100 depending upon the capacity purchased

A USB flash or USB external drive you can take with you. A internal drive is tied to the machine without physically removing it and installing it in another machine or a USB drive enclosure. The USB flash drive would be the cheapest option and can hold a significant amount of information. A 4 GB or 8 GB can cost under $6 to $15+, larger drives (32, 64GB+) are also available. I highly recommend a retractable or otherwise attached cap, such as the SanDisk Cruzer line. Terabyte USB drives and internal drives have come down to the $100+- price rage with occasional sales. I actually got 1 and 2 TB USB drives at Target on separate Black Fridays for significantly under $100, and a 2GB internal drive recently at BestBuy (when my system drive was dying) for just over $100.

If he is deleting things because disk space is tight, it might be time for him to do some other house cleaning: deleting temporary files, reducing browser cache sizes, emptying the recycle bin, etc. I use Wise Disk Cleaner (Free) to clean off the temporary files, after configuring it to not delete things that I want to keep. There are plenty of other suggestions in past editions of Windows Secrets.

If you go the large capacity route. you could offer to let your brother to keep system backups on the drive as part of his regular backup routine in a separate partition. I presume he reads Windows Secrets, and makes backups; and that you make backups of your important stuff.

I find that an 8 GB flash drive can hold the important and not so important files, and SyncToy makes for a nice synch tool. I also have important partition backups on my large USB drive, a bootable DVD backup of a configured system partition and DVD backups of the important files. Now that I have a 2TB system drive instead of the retired defective 250 GB drive there are also partition images on that drive.

[GrandRascal]

I do believe that TrueCrypt in fact has a portable mode, in which it need not be installed -- does it not...?

[Paul T]

Yes, but you can't create new partitions and you can't mount existing ones as drives.

cheers, Paul

[boobounder]

I solved a similar problem on a machine where there were two of us using the same username (don't ask why ... family trust issues).

Anyway, you can create a folder that has no name (actually, its name is a single blank character), and also has no icon.

I stored this folder on the desktop and never lost information over a period of a few years. All you have to do is remember its location on the desktop and just click there. It will still highlight when you click it. If it gets moved, just open up Explorer and it will be listed there.

One better than this is that you can put that folder inside some other even less obvious folder somewhere.