Vista: a way to select which folders guests can access?

bigred · 30th June 2009, 10:04 PM

In the guest account thing you can limit what programs people can use, but I see nothing on what file folders they are allowed to see, use and/or modify. I don't suppose there's a way to do this-?

Ducky · 30th June 2009, 10:33 PM

RTFM

ETA:

With this caveat:

Quote:

Files on the root of C: are available to the guest account in order to allow it to run properly, but files in the "Users" folder are not unless someone gave the guest user folder permissions.

To further restrict the guest accounts permissions you can restrict them on a per-folder level.

PLEASE BE AWARE – Restricting user permissions in the Program files or Windows folders will cause the Guest account to function improperly or not function at all!!!

GreNME · 30th June 2009, 11:19 PM

Originally Posted by bigred

In the guest account thing you can limit what programs people can use, but I see nothing on what file folders they are allowed to see, use and/or modify. I don't suppose there's a way to do this-?

Okay, you need to be more specific here, because there are several ways to limit access to users on a computer.

Ducky · 1st July 2009, 12:10 AM

Originally Posted by GreNME

Okay, you need to be more specific here, because there are several ways to limit access to users on a computer.

I waffled on the answer, as it could be he's referring to network shares, but I doubt it. I took it after consideration as the Windows version of chrooting a user to their home directory.

Which, as the link I provided shows, is a bad idea for the guest account on windows (though, I'm not sure I agree with their implementation of a guest account like they have and the same goes for OS X's guest account) because you shouldn't restrict access to program files or windows directories if you want to keep functionality to the account.

By default, however, the windows guest account cannot look into other folders in the users directory. So I'm not sure I understand why he wants to restrict it, unless he's keeping sensitive info outside his my documents directory.

GreNME · 1st July 2009, 09:41 AM

By default on Vista, no user account can access other user accounts' home folders (meaning no opening the directory at all), and regular user level accounts don't have write access to the Windows or Program Files directories (or the root directory). The guest account would have even more limitations on running software and saving data, though using the regular user level permissions as a base template is a good rule of thumb for judging guest access.

I think comparing it to chrooting a user's directory would be as good an example as any, but for the most part that's what Windows does (with some exceptions due to directory structures being different). Then again, I agree in that I don't like its implementation (or the OS X implementation), because a savvy enough user can still elevate privileges the way they are. There are some manual tweaks that one can use on both to ensure better security lockdown, but with Windows at least I would instead recommend creating a separate user account and manually locking that down instead of using the guest account-- there are more ways to limit things and you can know exactly what's being limited.

bigred · 1st July 2009, 09:53 AM

Originally Posted by Ducky

unless he's keeping sensitive info outside his my documents directory.

Bingo.

No network. Just generally thinking if someone else uses my PC, I might not want them to access or even see, for example - oh just hypothetically, say - something like "C:\Porn"

Wudang · 1st July 2009, 09:56 AM

Create a new group, add your account and don't allow guest.
Start here http://technet.microsoft.com/en-us/l.../bb490706.aspx to create a new group.

Right-click on "command prompt" and select "run as administrator" first

Rat · 1st July 2009, 11:49 AM

Originally Posted by bigred

Bingo.

No network. Just generally thinking if someone else uses my PC, I might not want them to access or even see, for example - oh just hypothetically, say - something like "C:\Porn"

Truecrypt is what you want for that.

GreNME · 1st July 2009, 01:22 PM

Originally Posted by bigred

Bingo.

No network. Just generally thinking if someone else uses my PC, I might not want them to access or even see, for example - oh just hypothetically, say - something like "C:\Porn"

As Rat says, you can use something like TrueCrypt. Or you can do something even easier and move the C:\Porn directory to a different directory-- say, 'C:\BigredMedia\' and remove any and all permissions for any user but yourself and admin, which would block anyone else from accessing 'C:\BigredMedia\Porn' because they wouldn't be able to get to the root of 'C:\BigredMedia\' to list the contents. Alternatively, you could take the desired directory root and adjust the permissions to Deny the 'List Folder Contents' permission, but I'd advise against doing that to the system root because that would cause operational problems.

Basically, if you're storing directories under your system root, then you're already doing it wrong in the first place. Put them somewhere more logical, and protect the root directory of where you put them using ACLs. Done and done.

Ducky · 1st July 2009, 05:26 PM

Originally Posted by GreNME

As Rat says, you can use something like TrueCrypt. Or you can do something even easier and move the C:\Porn directory to a different directory-- say, 'C:\BigredMedia\' and remove any and all permissions for any user but yourself and admin, which would block anyone else from accessing 'C:\BigredMedia\Porn' because they wouldn't be able to get to the root of 'C:\BigredMedia\' to list the contents. Alternatively, you could take the desired directory root and adjust the permissions to Deny the 'List Folder Contents' permission, but I'd advise against doing that to the system root because that would cause operational problems.

Basically, if you're storing directories under your system root, then you're already doing it wrong in the first place. Put them somewhere more logical, and protect the root directory of where you put them using ACLs. Done and done.

Or, conversely, put your sensitive data in your own home folder.

Bobert · 1st July 2009, 05:49 PM

Originally Posted by bigred

Bingo.

No network. Just generally thinking if someone else uses my PC, I might not want them to access or even see, for example - oh just hypothetically, say - something like "C:\Porn"

Look even if they do see your porn you just say, "I dont know how that got there it must be a virus!!"

GreNME · 1st July 2009, 08:41 PM

Originally Posted by Ducky

Or, conversely, put your sensitive data in your own home folder.

Natch. I just didn't want to be presumptuous.

Ducky · 1st July 2009, 11:36 PM

Originally Posted by GreNME

Natch. I just didn't want to be presumptuous.

Not presumptuous in the computers forum?

Are you feeling ok?

30th June 2009, 10:04 PM	#1
bigred Philosopher Join Date: Jan 2005 Location: USA Posts: 9,443	Vista: a way to select which folders guests can access? In the guest account thing you can limit what programs people can use, but I see nothing on what file folders they are allowed to see, use and/or modify. I don't suppose there's a way to do this-?

30th June 2009, 10:33 PM	#2
Ducky Titanium Superhero Join Date: Jun 2005 Location: Saint Paul, Minnesota Posts: 10,769	RTFM ETA: With this caveat: Quote: Files on the root of C: are available to the guest account in order to allow it to run properly, but files in the "Users" folder are not unless someone gave the guest user folder permissions. To further restrict the guest accounts permissions you can restrict them on a per-folder level. PLEASE BE AWARE – Restricting user permissions in the Program files or Windows folders will cause the Guest account to function improperly or not function at all!!!
	Last edited by Ducky; 30th June 2009 at 10:40 PM.

30th June 2009, 11:19 PM	#3
GreNME Philosopher Join Date: Sep 2007 Location: Folsom Prison Posts: 6,412	Originally Posted by bigred In the guest account thing you can limit what programs people can use, but I see nothing on what file folders they are allowed to see, use and/or modify. I don't suppose there's a way to do this-? Okay, you need to be more specific here, because there are several ways to limit access to users on a computer.
	__________________ _{Like love, criminals will always find a way. -- foxholeatheist The kind of pacifism I endorse is brought about by eliminating one enemy combatant at a time.-- JoeyDonuts}

1st July 2009, 09:41 AM	#5
GreNME Philosopher Join Date: Sep 2007 Location: Folsom Prison Posts: 6,412	By default on Vista, no user account can access other user accounts' home folders (meaning no opening the directory at all), and regular user level accounts don't have write access to the Windows or Program Files directories (or the root directory). The guest account would have even more limitations on running software and saving data, though using the regular user level permissions as a base template is a good rule of thumb for judging guest access. I think comparing it to chrooting a user's directory would be as good an example as any, but for the most part that's what Windows does (with some exceptions due to directory structures being different). Then again, I agree in that I don't like its implementation (or the OS X implementation), because a savvy enough user can still elevate privileges the way they are. There are some manual tweaks that one can use on both to ensure better security lockdown, but with Windows at least I would instead recommend creating a separate user account and manually locking that down instead of using the guest account-- there are more ways to limit things and you can know exactly what's being limited.
	__________________ _{Like love, criminals will always find a way. -- foxholeatheist The kind of pacifism I endorse is brought about by eliminating one enemy combatant at a time.-- JoeyDonuts}

1st July 2009, 09:56 AM	#7
Wudang BOFH Join Date: Jun 2003 Location: Sheffield Posts: 4,412	Create a new group, add your account and don't allow guest. Start here http://technet.microsoft.com/en-us/l.../bb490706.aspx to create a new group. Right-click on "command prompt" and select "run as administrator" first
	__________________ Aphorism: Subjects most likely to be declared inappropriate for humor are the ones most in need of it.

1st July 2009, 12:10 AM	#4
Ducky Titanium Superhero Join Date: Jun 2005 Location: Saint Paul, Minnesota Posts: 10,769	Originally Posted by GreNME Okay, you need to be more specific here, because there are several ways to limit access to users on a computer. I waffled on the answer, as it could be he's referring to network shares, but I doubt it. I took it after consideration as the Windows version of chrooting a user to their home directory. Which, as the link I provided shows, is a bad idea for the guest account on windows (though, I'm not sure I agree with their implementation of a guest account like they have and the same goes for OS X's guest account) because you shouldn't restrict access to program files or windows directories if you want to keep functionality to the account. By default, however, the windows guest account cannot look into other folders in the users directory. So I'm not sure I understand why he wants to restrict it, unless he's keeping sensitive info outside his my documents directory.

1st July 2009, 09:53 AM	#6
bigred Philosopher Join Date: Jan 2005 Location: USA Posts: 9,443	Originally Posted by Ducky unless he's keeping sensitive info outside his my documents directory. Bingo. No network. Just generally thinking if someone else uses my PC, I might not want them to access or even see, for example - oh just hypothetically, say - something like "C:\Porn"

1st July 2009, 11:49 AM	#8
Rat Not bored. Never bored. Join Date: May 2003 Location: Leicester, UK Posts: 3,588	Originally Posted by bigred Bingo. No network. Just generally thinking if someone else uses my PC, I might not want them to access or even see, for example - oh just hypothetically, say - something like "C:\Porn" Truecrypt is what you want for that.
	__________________ "Man muß den Menschen vor allem nach seinen Lastern beurteilen. Tugenden können vorgetäuscht sein. Laster sind echt." - Klaus Kinski UKLS 1988-? orking till the cows come home... Sitting on the fence throwing stones at both sides.

1st July 2009, 01:22 PM	#9
GreNME Philosopher Join Date: Sep 2007 Location: Folsom Prison Posts: 6,412	Originally Posted by bigred Bingo. No network. Just generally thinking if someone else uses my PC, I might not want them to access or even see, for example - oh just hypothetically, say - something like "C:\Porn" As Rat says, you can use something like TrueCrypt. Or you can do something even easier and move the C:\Porn directory to a different directory-- say, 'C:\BigredMedia\' and remove any and all permissions for any user but yourself and admin, which would block anyone else from accessing 'C:\BigredMedia\Porn' because they wouldn't be able to get to the root of 'C:\BigredMedia\' to list the contents. Alternatively, you could take the desired directory root and adjust the permissions to Deny the 'List Folder Contents' permission, but I'd advise against doing that to the system root because that would cause operational problems. Basically, if you're storing directories under your system root, then you're already doing it wrong in the first place. Put them somewhere more logical, and protect the root directory of where you put them using ACLs. Done and done.
	__________________ _{Like love, criminals will always find a way. -- foxholeatheist The kind of pacifism I endorse is brought about by eliminating one enemy combatant at a time.-- JoeyDonuts}

1st July 2009, 05:26 PM	#10
Ducky Titanium Superhero Join Date: Jun 2005 Location: Saint Paul, Minnesota Posts: 10,769	Originally Posted by GreNME As Rat says, you can use something like TrueCrypt. Or you can do something even easier and move the C:\Porn directory to a different directory-- say, 'C:\BigredMedia\' and remove any and all permissions for any user but yourself and admin, which would block anyone else from accessing 'C:\BigredMedia\Porn' because they wouldn't be able to get to the root of 'C:\BigredMedia\' to list the contents. Alternatively, you could take the desired directory root and adjust the permissions to Deny the 'List Folder Contents' permission, but I'd advise against doing that to the system root because that would cause operational problems. Basically, if you're storing directories under your system root, then you're already doing it wrong in the first place. Put them somewhere more logical, and protect the root directory of where you put them using ACLs. Done and done. Or, conversely, put your sensitive data in your own home folder.

1st July 2009, 05:49 PM	#11
Bobert Government Loyalist Join Date: Dec 2006 Posts: 4,048	Originally Posted by bigred Bingo. No network. Just generally thinking if someone else uses my PC, I might not want them to access or even see, for example - oh just hypothetically, say - something like "C:\Porn" Look even if they do see your porn you just say, "I dont know how that got there it must be a virus!!"
	__________________ CIT CULT founder Ranke responding to where Flight 77 is"I'm not aware of any "theories" nor am I interested in theorizing about what method was used to murder them ." CIT CULT MEMEMBER ROUNDHEAD Suck on one weenie, you are a weenie sucker for life CIT CULT founder Aldo Marquis :You're going to regret. Don't forget we have your info too pal. Think about your kid and family

1st July 2009, 08:41 PM	#12
GreNME Philosopher Join Date: Sep 2007 Location: Folsom Prison Posts: 6,412	Originally Posted by Ducky Or, conversely, put your sensitive data in your own home folder. Natch. I just didn't want to be presumptuous.
	__________________ _{Like love, criminals will always find a way. -- foxholeatheist The kind of pacifism I endorse is brought about by eliminating one enemy combatant at a time.-- JoeyDonuts}

1st July 2009, 11:36 PM	#13
Ducky Titanium Superhero Join Date: Jun 2005 Location: Saint Paul, Minnesota Posts: 10,769	Originally Posted by GreNME Natch. I just didn't want to be presumptuous. Not presumptuous in the computers forum? Are you feeling ok?