Win2K Security Question How do you....?

[SharkB8]

Is it possible to keep a folder, that you have taken ownership of, from showing up in Windows Explorer when someone else logs in on that system? I have taken sole ownership of the folders I want to keep others out of and nobody can access them but I would prefer that they aren't even visible. Making them "hidden" only works if everyone else has the "show hidden files" option disabled. Anyone know how to do this of if it is even possible??

FYI, the systems are Win2K with SP2 installed and drives formatted in NTFS.

 

[Noriaki]

I don't think you can make them invislbe.
You can just revoke access to them (except to Admins).

But if you're afraid of someone else seeing you have pr0n on your system just name the folder something innocuous

 

[SharkB8]

The problem is that there are certain applications that were no supposed to have on the systems at work. I am trying to hide these as much as possible but this probably futile anyway. Thanks.

 

[Rand]

Unfortunately even if others cannot actually open a folder they can still view that the foler exists.

That's one of the big advantages that Novell Netware still hass over Win2000 IMHO.

 

[SharkB8]

Thanks for the tip, I'll check it out.

 

[SUOrangeman]

Although the directory may show up in Explorer, I don't think you can actually view the contents. I haven't verified this with the command line or anything.

-SUO

 

[SharkB8]

You are correct SUO. Once you take sole ownership of the file and all contents others can see that the file exists but can in no way that I can find, access the contents.

 

[Jorrit]

the only thing that would do the trick is to block access to the program files directory, but that probably wouldn't be a wise thing to do, would it.

what about installing the program to your home directory instead of program files? disadvantage if there's a quotum. however another administrator can always have a look into every directory anyway, i believe, so it probably is futile.

 

[WoundedWallet]

I think you could install the program inside a folder that you have sole previleges(ie. c:\MySecretFiles) and people won't be able to list the other folders inside MySecretFiles(ie. c:\MySecretFiles\MySecretProgram), thus making MySecretProgram "invisible"

Unless of course they get curious and have the rights to override and fire you since you're not following company policies. But I'm sure you're not worried about that

 

[jaywallen]

I gather that you're not a domain admin, right SharkB8? Remember that domain policies will override policies set locally. You need to know that if it's really important that the sysadmin not know of the folder(s). You won't be able to hide them from the sysadmin.

Regards,
Jim

 

[SharkB8]

Unfortunately, I am not a Domain Admin. I think that my best bet is to stash this stuff into folders with inconspicuous file names. The next problem is that the LAN manager has set up a program that scans the network for "illegal" programs. At this point I am not sure if it only scans the Program Files folder or all directories but right now I'm ok....I think. Nothing I have is really all that significant. Due to this, even if I do get busted the consequences are pretty small.

 

[jaywallen]

Oy! If the sysadmin is scanning the network for illegal programs it's extremely unlikely that the installations will go unnoticed. I don't even know of any tools that would miss it under such circumstances. The scanning software I use checks for ANYTHING not on the approved disk images. That includes registry entries and telltale changes in other system files, surreptitious installations, parallel installations, etc. It can even be allowed to look for and report who created what and when they created it. It wouldn't be able to break files encrypted by third party tools, for instance, but it would report the existence of such files and who created them (and when). Be careful not to put yourself in an untennable position, or to put the sysadmin into a corner where s/he has to go to upper management (depending on your work situation) to get permission to examine the system. As much as you might not want the sysadmin to know, I imagine that it would be worse to have both the sysadmin and upper management involved. If the installation is anything that could conceivably be used to compromise security of the network, you can expect a hostile reaction to its discovery.

Regards,
Jim

 

[SharkB8]

Jay- I do appreciate the insight you give. I suspected that the information derived from the App Scan was at least as extensive as you say especially with an NT based system. As I said, everything I have installed is benign and widespread throughout the network. It all gets installed, then the sys admin raises hell and everybody gets their systems cleaned out. If they got out the platters and started wanting heads on them, there would be no one working here.
I'll PM you from home to let you know where I work. You'll die laughing. Thanks for the concern.

 

[jaywallen]

Heh-heh. Sounds like the typical situation. This often happens when management makes arbitrary decisions about what is, and isn't, allowed on the company systems.

I happen to work mostly with scientific users in situations where ultra-tight control is required. But I also do some non-profits on a pro bono basis. The not-for-profits used to tend to be pretty lax about security, but most of them have come to the conclusion that they have to exert controls to prevent possible compromise of sensitive data, too. (The liability issues for non-profits engaged in health care or other human services can be incredible.) In my case, I usually have big resources for accomplishment of relatively low admin workloads. That's what's required for high security ops. But that also gives me the ability to examine pet apps that users want on their systems to see if they can be accommodated without threatening security. I even talked two organizations into setting up "alternative intranets" for the express purpose of running users' pet apps. (Yup! A separate box on a separate network for each user that wants it -- used via KVM.) I'm a big believer in security, but I'm also a big believer in trying to get everything I can get for the users -- as long as what they want doesn't compromise the functionality of the network.

Regards,
Jim

 

[SharkB8]

Jay- I now understand why you know what you know. I'll PM you from home with my thoughts for obvious reasons.