I'll apologise in advance for the way this is phrased, I know what I'm trying to say but if it's come out garbled sorry about that. Okay, on with the issue. You have multiple login accounts with access granted to a particular partitioned data drive, so only those accounts can access that drive and others login accounts can't. Now, you want a new login account for a shared PC, shared between different departments between whom there needs to be "chinese walls" in place, some users of that shared new login account need to have access to the particular partitioned data drive, others users mustn't have. Is there any way to implement a password protection/controlled access of some sort for that one login so that when someone is using that login/PC if they try to gain access to the shared data drive they are required to enter a password but will not affect the way other login accounts, that have been granted access to the drive, automatically access it? I know it's not up-to-date Windows server software, but I don't know which version is being used - no help to you I know! Your help/input would be much appreciated.
So you have a shared drive on a server, that is accessed by multiple accounts. How are the accounts created... are you using a windows domain, workgroup or standalone computer accounts? If you're on a domain it's easy - set the share permissions to everyone having full access and then use NTFS permissions to limit who accesses what - you can be as simple/complex as you want then.
Thanks Atomic. Yes, it's a domain. So you're saying that that one account only could be set up (using permissions) to be forced to enter a password in order to gain access to the drive? If you are, in that case it'd also have to be able to drop the access in some way without logging off the account as the PC is left logged in all day. Can that be achieved in some way? (I know, don't want much do I )
Seems you've missed the fundamental reason for having multiple accounts - permissions can be set 'per account' so each user can have their own permissions and access rights. For example: on the shared drive, there's a folder for each department, only the users within each department have access to their own departments folder. User from Finance logs on and has access to 'Finance folder' but not any others. user from Sales user logs on and has access to 'Sales folder' but not any others. Why would two departments be sharing an account? edit: In answer to your question it's not possible as NTFS permissions don't 'time out' they are set at login or the moment the connection to the application/resource is made.
Sorry I thought I made it quite clear in the OP it was 1 account used by multiple departments/people. Why 1 login/pc? It's a multifeed PC with the authorised account for some very expensive third party info systems. Before the thought even crosses your or anyone else's mind there is no licence infringement involved whatsoever I assure you.
you just need a login script and set the permissions and shares accordinly? Put people in security groups, get something called ifmember.exe which is a small command line app - i can send it you if you need as its quite hard to find, but easy to use - so you can give me people drives according to if they are in security groups or not. edit: i just re-read you are only using one login account, in which case that probably wont work. Only way I have managed to do what you are doing is by making true crypt volumes which you can mount and thus enter passwords when they are needed. I have done this with drop box etc. where users have had to have access to their own bit but share a generic account. edit 2: I still don't think I understand what you are trying to achieve haha so I still don't think I have suggested the right thing.
Thanks Margo but are you sure you're not sure? Okay, forget for a moment it's a domain. Let's try a scenario I can explain in full. Please bear in mind it's make believe and any resemblance to any forum member's life is pure coincidence Picture it, it's 2003. You live with your girlfriend who's very possessive, insecure and jealous. (I know, why would you be with someone like it but let's just pretend ) PCs are expensive proportionally - you're still a student - so you have to share a standalone PC. (Forget you could build one for yourself much cheaper for a moment ) She doesn't quite trust you so insists she uses your user login on the PC. You have a penchant for porn but you know she'd go mad if she found it on the PC. Excluding hiding the files/partition they're stored on (after all she might switch to a computer science degree ), how could you access them and prevent her from doing so? Now, forget it's a standalone PC and apply it to storing it on a server. No, "I'd ditch her" is not the answer I'm looking for
true crypt, encrypted volumes. you set them the size you want, then when a user wishes to use theirs, they mount it and it becomes a drive. when they done, they dismount it, it goes back to being a container on the hard drive, is just a massive file the size you make it. Users just need to make sure they unmount their volume, and you will have to make a basic instruction on how to mount and dismount volumes and do minimal training. but thats the best way i reckon, and its gpl license. http://www.howtogeek.com/108501/the-how-to-geek-guide-to-getting-started-with-truecrypt/
But will all your mates you said could access your porn files still be able to without having to erm, mount and dismount it? or would they also have to do that?
no way - if you dont know the password you cant mount the volume, if you cant mount the volume, there is no way (well there is but it would take bazillions of years) to see whats inside. Obviously - if you do this, IT should take backups of all the users keys, as, there is no password recovery, if they forget their password, and the key is lost, the volume is lost too. but means the porn is safe
True crypt volumes in an enterprise environment is a recipe for disaster as there is no centralised key recovery method. If they have to mount and dismount the volume you might as well give them a batch file to do it with normal shared drive using net use and map to a shared drive with alternative credentials to the logon. At least you can run a decent backup on a set of files rather than the single huge file that the truecrypt volume would be.
In fact I decided probably the easiest thing to do by far was take away permission rights to the sensitive shared drive (especially since it needs to be centrally and locally backed up) for that login account and set up a new shared drive with access rights to it for that login and all users of that login/PC. That way they can use the new shared drive as a central dumping ground for data generated and they'll just have to move it across at their own desks to their own team's restricted access drives. Slightly fiddly on an ongoing operational basis but easy to implement and retains the "chinese wall" status.
I disagree. Backups can be taken of the keys and stored centrally. The whole point is there is no key recovery, the whole point is to keep things safe. I have used true crypt a number of times in an enterprise environment and with great success. And with safeguards as the client has copies of the keys on their server (not that they know that) and I have copies of their keys on my server. The keys are also backed up by their routine backup. As I said - does require a minimal instruction to be written and minimal training but where I have used it clients couldn't be happier. Using a script with different credentials would make usernames and passwords pretty available to anyone as they would be stored in plain text in the script.
Kind of a staging area, I like. Certainly the KISS approach For a SMB with no budget available for a proper encryption system I guess it might be acceptable. Me personally, I'd couldn't recommend a product unless is FIPS 140 certified and has a central key management server with some method for ICT to unlock data remotely as the users will and do forget passwords. But then again I'd be fired if I took clients data offsite, and likely prosecuted for taking a copy of their decryption keys! (I miss SMB support in some ways, life was simple then ) Plain text credentials, nah just get it to prompt for them: Code: @echo off echo "Enter username:" set /p UserName= echo "Enter password" set /p Password= net use X: \\server\share /user:%UserName% %Password%
Well it may not be the most elegant solution but being simple and straight forward I stand a chance of getting it implemented by them before 2014!
Sorry if it read that way, I was just trying to put across the disadvantages of the solution you suggested. The information security officer wouldn't approve something like TrueCrypt because there is no robust method to unencrypt the data by ICT. Taking a copy of the key files wouldn't be acceptable as the user can change them and they aren't replicated to a secure central repository, this could leave the business without explicit control over the data it holds. It depends on the type of the business if this is an issue or not, but it could leave the company in hot water should any legal action arise if they cannot prove they have taken the correct steps with information security. It's a great idea! I kicked myself for not thinking of it as there's something similar where I work for scanning in our hotdesk rooms where the departmental presets aren't available.
What a mess. Would it not be better to try and implement a multi-account scenario, that way you've got full domain control and all the benefits of it rather than a dirty hack through TrueCrypt?
