Protecting Files, Folders and Shares in Windows
Last Updated: 17 Jul 2004
*** PLEASE NOTE: Link(s), If Provided, May Be Wrapped ***
Windows NT and above (2000/XP/2003) support the ability
to protect shared resources as well as files and folders.
You need to be using NTFS to protect files and folders
individually, but SHARES can alway be protected.
Unlike Win9x/ME, you cannot protect a resource with a
password that is not tied to an account. Here is how
access control works with the NT-family:
Accounts are created on each machine (Local Accounts)
or in a domain (Domain Accounts). When you attempt to
connect to a remote resource, a check is performed to
establish if you have rights for that resource.
CONNECTING TO REMOTE RESOURCES
If you have an account that is trusted, or matches the
name and password of a trusted account, then you are
seamlessly granted access to the resource. If you don't
have an acccount (but you're not explicitly denied
access to the resource), you will be prompted for
account credentials so that connection can be made.
Once the connection has been made, it will exist for
the length of your logon session unless one of the
- You deliberately disconnect via Explorer or NET USE
- You log off OR reboot
- The connection is broken by the remote resource
To set permissions for a resource, use Windows
Explorer or CACLS/XCACLS to assign rights to users
or groups at the SHARE and/or FILE level.
If you want to be prompted EACH time that you connect
to a remote resource during a single session, or you
want to set a password on a folder that is independent
of any user accounts, you will need to make use of a
3rd party utility, such as the following:
• AB Folder Lock ......... http://www.tucows.com/system/preview/292646.html
• ABI-Coder .............. http://www.abisoft.net/bd.html
• ABI-Secure Pro ......... http://www.abisoft.net/securepro.html
• Access Administrator ... http://www.softheap.com/
• Dekart Private Disk .... http://www.dekart.com/home/
• DriveCrypt ............. http://www.drivecrypt.com/dcplus.html
• Easy File Protector .... http://www.softstack.com/
• File Protector ......... http://www.tucows.com/system/preview/195497.html
• Folder Guard ........... http://www.winability.com/home/
• Folder Shield .......... http://www.snapfiles.com/get/foldershield.html
• Magic Folders .......... http://www.pc-magic.com/
• PGPDISK ................ http://www.pgpi.org/products/pgpdisk/
• PrivateCrypto .......... http://www.utimaco.com/privatecrypto/eng_privatecrypto.html
• Secure Desk ............ http://www.cursorarts.com/ca_sd.html
• Secure Files ........... http://www.securefiles.net/
• Security Suite ......... http://www.softclan.com/english/secsuite.html
• Universal Shield ....... http://www.snapfiles.com/get/unishield.html
Personally, I prefer the default behavior of the NT
family with regards to the protection of files and
folders because just tying the protection to a password
makes it easier for the security to be compromised, and
harder to audit the access to the resource.
WHITEPAPERS & TECH DOCUMENTS
• One of the coolest features of Windows XP is the
ability to determine the "Effective Permissions"
of any group or account. This is available under
the Advanced Permissions dialog box. This is also
available under Server 2003.
• If "Simple File Sharing" is enabled, which it is
by default in XP Pro, you will not be able to set
specific permissions to prevent users from accessing
your shared folders (it's either Everyone or No-one).
To change this back to the Win2K Pro style, do the
- Open an Explorer window
- Select "Tools"
- Select "Folder Options"
- Select "View"
- Go to "Advanced Settings"
- Scroll all the way to the bottom of the list
- Uncheck "Use Simple File Sharing"
• SoftClan Security Suite comes the closest to providing
Win9x with NT-level security features.