Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

user accounts don't seem to provide protection


  • Please log in to reply
14 replies to this topic

#1 mianake

mianake

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 07 February 2015 - 04:32 AM

Hi

 

I have set up a new user account to put some more sensitive items, say the S account.  I haven't shared anything in it with the old account (O account(, tho I have shared all the O account files with the S account. 

 

I thought this meant someone in the O account couldn't see anything in the S account.  Yet when I went in the O account and searched to the start button and searched all programs and files, I could find all the S account files.!  

 

ANy ideas what I might be doing wrong?

 

thanks  

 

ps I hav windows 7 and just chatted with Microsoft fellow who said this was normal to make it easier to search for files.  also said a guest could do it, tho not change the docuemnts. seems to make user account worthless in windows 7.  says it is different in windows 8.  can anyone confirm


Edited by mianake, 07 February 2015 - 05:16 AM.


BC AdBot (Login to Remove)

 


m

#2 Kilroy

Kilroy

  • BC Advisor
  • 3,279 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:12:33 PM

Posted 07 February 2015 - 03:11 PM

Just because you can search and see the documents doesn't mean that you can access them.  Have you tried to open one of the files?



#3 mianake

mianake
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 07 February 2015 - 08:26 PM

Yes, I can access the files in the other account and for that matter edit them. 

 

Network access is denied, and no folders from the other user account are shared. 

 

I wonder if the problem is that I have somehow shared my Computer.  When I go to open My pictures, the various Icons on the left side include Homegroup,l Network and Computer and Libraries and Faviorties.  Nothing shows up under Network or Homegroup, but when u click Computer the drives show up, and if u click on them, u get access to whatever u want.  THus each user can access everything !  I have a screensav, but don't see an attach button here.  

thanks



#4 Kilroy

Kilroy

  • BC Advisor
  • 3,279 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:12:33 PM

Posted 07 February 2015 - 10:18 PM

Getting computer shares correct can be a major pain if you don't understand all of the little nuances that go into creating a share.

 

The easiest way would be to use the NTFS permissions to secure the files.

 

Here is a page on NTFS permissions.

 

The main things is NEVER use the deny permission.  If you don't get a user permission, they don't have permission, there is no need to use deny, it only causes problems.



#5 CaveDweller2

CaveDweller2

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:33 PM

Posted 08 February 2015 - 09:58 AM

ugh permissions.......the bane of my existence.  


Hope this helps thumbup.gif

Associate in Applied Science - Network Systems Management - Trident Technical College


#6 mianake

mianake
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 08 February 2015 - 03:29 PM

Thanks

I will have to read the NTSF  article, tho it is for XP and I have 7

 

I spent a lot of time last nite trying to figure this out, so here is what I found

First, I when I created the S account, it was from the O account so it seemed to inherit its properties.

Second, all my files are on the E drive.  Seems like The O account has access to all E drive materials, but is locked out of C drive for the S user.

 

Under properties and security it seems all Users had Allow full access as inherited.  I tried to set up S user - allow and O user Deny, and Deny all users but that seemed to lock S out also since there was a conflict and Deny controlled. 

Finally I realized I had to get rid of inherited properties for the all users, then I could remove the Users access, and keep the S user allow access.  Oddly the Adminstrator account and System user also disappeared when I did this (I didn't not specifically remove them) - not sure that matters since S is the administrator. 

 

So now, under Security settings - All that shows up now is S - allow, O Deny.  I suppose I can delete O deny based on Kilroy's comment.  Interestingly, the S account folders now have a little padlock icon on them - I have never seen that.  In contrast, when I open a subfolder inside the padlocked folder, there are five Group or User names - Authenticated Users, System, S user, Administrator, Users (oddly both allow and deny are checked!), and WMPNetwordk.  Should I see if I can get Authenticated Users, System or Adminstrator setting back for the padlocked folder

 

this seems to work - when in O, I cant find any s files by searching from the start button, or clicking on Computer etc.  But when in S it seems like all works.   

 

  does anyone see any problems in all this, or have suggestions?


Edited by mianake, 08 February 2015 - 03:42 PM.


#7 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 09 February 2015 - 03:46 PM

" I when I created the S account, it was from the O account"

 

This means you are using administrator accounts.  Administrator can see everything unless specifically denied [don't do that or you will regret it]

 

You should be using limited [non administrator] accounts for daily usage and if you want to hide files per profile.



#8 Kilroy

Kilroy

  • BC Advisor
  • 3,279 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:12:33 PM

Posted 09 February 2015 - 06:36 PM

Technically an Administrator can be temporarily blocked by not giving them rights, you don't have to use Deny.  However, the Administrator can always take ownership and do what they want.



#9 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 09 February 2015 - 07:26 PM

IMO home users shouldn't mess with the administrator account since it gets them into deep dodo usually requiring a reformat of the machine.

As recommended by Microsoft best practices its best to be using a nonadmin account for daily activities.

 

mianake you understand why not to use a admin equal account for daily operations?



#10 mianake

mianake
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 10 February 2015 - 01:25 PM

IMO home users shouldn't mess with the administrator account since it gets them into deep dodo usually requiring a reformat of the machine.

As recommended by Microsoft best practices its best to be using a nonadmin account for daily activities.

 

mianake you understand why not to use a admin equal account for daily operations?

Laufing - I pretty much understand that I don't understand much about computers!,  

 

 note - the O account has been a standard account the last couple weeks when all this was going on.  it still had the access til I changed the setting for the file, probably since it was inherited.

 

Here is my short computer story.  For years I had one account - O - it was , unknown to me, the Adminstrator account.  About every two years the computer said I needed administrator approval for something, and I was bewildered!, since I didn't know who the Adminstrator was.  Now I am even more bewildered since I was the Administrator. 

 

I tend to leave the computer on all the time, and didn't have a password.  I got more concerned, and moved sensitive data etc to the S account, and have a password on it.  My goal was not to use it much and do most stuff in the O account.  I also wanted to keep everthing in the S account from being visible in the O account since others occasionally use it ( I suppose it is just easier to have a guest account).  THe S account is now the administrator account, and the O account is the standard.  

 

I also want to be able to move things between the accounts sometimes., usually form O to S.  Homegroup seemed to work for this, but for reasons nknown, sometimes my Homegroup works fine (I only have it set up for S to see O, not the other way), but at other times it says there are no other members even tho all are on and logged in.  In any case, all is on E drive, so when in S, I can get to O, and by virtue of above, O can't see S. 

 

To further complicate my life, I have created a new user account, X, for one reason - I have been backing stuff up to the cloud (various clouds actually) at an incredibley slow rate due to my connection, and I wanted to keep an extra copy out of my synced folders in case something disappeared.  So I keep a copy on the X account, and don't bck it up on the external drive which is almost out of space.  

 

So far, it seems to work, tho may be more complicated than I need.  And I guess I don't really know why I shouldn't use the administrator account to do daily browsing unless it is to minimize hacking problems.  IF that is the case, I could further amuse myself and create a Y account to be the administrator and never use that for anything !, and then make all others, including S standard. 

 

Since I have rambled on, let me ask three other questions that I wonder about

1.  If someone stole my computer, do the user passwords matter or is it easy to get the files etc without knowing the passwords.  I am not trying to protect from a world class hacker, just wondering if it is easy to get my data rather easily from the drives or whatever even if you don't know the passwords. 

2.  Does my user password somehow make it to my external drive, or is that entirely vulnerable if stolen.  external drive seems to be Seagate free agent

3.  I get more viruses than I like, and wondered if having different user accounts and doing less safe browsing in only one of them would isolate the problem, and/or different browsers.  

 

thanks much,

 

PS - if not mentioned, I have Windows 7 home edition  


Edited by mianake, 10 February 2015 - 01:29 PM.


#11 Kilroy

Kilroy

  • BC Advisor
  • 3,279 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:12:33 PM

Posted 11 February 2015 - 03:50 AM

1.  Windows passwords do nothing to stop someone from accessing your data if your computer is stolen, locks only keep honest people honest.  Encryption with a strong password is the only answer.

 

2.  If the drive is formatted NTFS the same as above applies.  All that needs to be done is to connect it to a machine that you have administrative rights and take ownership.

 

3.  This is a bit more complex.  Run with a standard account, most malware cannot install on a standard account, if it does install you only need to create a new user account to replace the infected user.  Do not run Adobe Flash or Java.  Use a browser other than Internet Explorer.  I recommend Firefox with the No Script add on.  No Script will prevent all scripting from running without your permission.  Unfortunately this breaks a lot of web pages.  You can selectively enable scripts for sites that you trust.  If you click Yes on everything nothing will protect you.



#12 mianake

mianake
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 11 February 2015 - 02:07 PM

Thanks Kilroy

 

Can I make sure I follow your recommendations

1.  I will set up a new user as administrator, and never use it .  all aothers standard

2.  for standards, any thoughts on Chrome, I already have it.  no scripts, then select ok for those you are ok with

3.  I don't think I have Adobe Flash, only Adobe Reader

4.  do you mean uninstall Java but do not run it.  I have never understood anything about Java or what it is etc

5.  any recommendation on easy free encryption tool.  I looked once and it got a bit technical, something about mounting and saving keys and I worried it was too cmplex.

 

thanks Mike



#13 Kilroy

Kilroy

  • BC Advisor
  • 3,279 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:12:33 PM

Posted 11 February 2015 - 05:49 PM

1.  The easiest way is to set up initially with an Administrative account.  After you have everything set up initially.  Use the Administrative account to create another Administrative account.  Log in with the newly created Administrative account and change the original account to a standard user.

 

2.  Chrome is fine, there is an add on similar to No Script for Chrome.

 

3.  Adobe Reader isn't much better, but provided you only open trusted PDFs it isn't a major issue.

 

4.  You can install Java, but use a script blocking add on to use it only when you want to use it.

 

5.  I don't recommend encryption for the average user.  I've seen too many people lose everything because something happened to the disk and they were no longer able to access their data.  You could have a back up service to protect you from that, but then are your backups encrypted?  It gets to be messy quickly.  Also think that if you died would someone need access?  If so, how do you provide it?



#14 mianake

mianake
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 11 February 2015 - 06:42 PM

thanks again.

 

last questions 

I have Java installed, but at this point have no idea why, or what it does or if I need it.  After your earlier post I found some pc computer article that said you can disable it for browsers in teh Java settings.  so i did that.  

so I am a bit confused, and wondered if you might point me in the right direction

1. can i just uninstall it

2. is disabling browers same as script blocking add on.  

3  how to I do a script blocking add on.  

 

News to me about Adobe, I have a ton of pdfs, mainly science articles, so presume secure.  There isn't another way to view Pdfs is there- I don't think i use Adobe Reader for anything else

 

Re the no scripts add on for Chrome and Firefix, I found this on a quck google search

http://www.makeuseof.com/tag/top-8-security-privacy-extensions-chrome-browser/

 

is there an article on this site that explains this stuff, I don't think i have used any add-ons!

 

o, is the java script blocking add on, same as no scripts for Firefox or Chrome, or does that entail doing something else

 

the more you learn, the more confused you can get!


Edited by mianake, 11 February 2015 - 07:02 PM.


#15 mianake

mianake
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 15 February 2015 - 02:08 PM

Hi

 

Still trying things out, like Veracryptor.  A bit confused how it interacts with user accounts

I created a volume and mounted on my non-existent F drive, then uploaded to cloud, then realized the guest account could see teh F Drive.

So I went in and changed permissions for the entire F Drive - one account has full access, and guest access specifically deniyed evertything.

 

yet the guest account can still access F Drive under My Computer.  

 

the other account is still logged in, but I suppose if it logs out, no one can see F Drive.  But is there a way to keep other users from seeing if other one is logged in.  I did that with E Drive, but not working with the ficticious F Drive. 

 

thanks






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users