Page 1 of 2 12>
Topic Options
#45041 - 2003-09-10 02:30 PM Hiding folders and files using kixtart
Raj Mann Offline
Fresh Scripter

Registered: 2003-07-02
Posts: 7
Loc: Birmingham
Hi,

I am trying to hide the files and folders in the local c: drive on my workstations (mixture of 2000 and 98). I have already hidden the c: drive icon but using explorer, users can still get access to the c: drive if they type 'c:\' in the address bar.

Does anyone know of a way i can do this using kixtart?

Thanks in advance
Raj

Top
#45042 - 2003-09-10 02:49 PM Re: Hiding folders and files using kixtart
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
there is no way doing it via kixtart or via any other means.
sorry.

with policy you could try to disable exploring the computer but total hiding you will never get.
_________________________
!

download KiXnet

Top
#45043 - 2003-09-10 03:00 PM Re: Hiding folders and files using kixtart
Jochen Administrator Offline
KiX Supporter
*****

Registered: 2000-03-17
Posts: 6380
Loc: Stuttgart, Germany
You might try this :

Using System Policies to Hide Specific Drive Letters

But as soon there is MS Office installed on your clients your doomed sooner or later depending on the skills of your users as the 'Office Browser' don't give a sh* on policies [Wink]

BTDTGTTS [Roll Eyes]
_________________________



Top
#45044 - 2003-09-10 03:03 PM Re: Hiding folders and files using kixtart
Stephen Wintle Offline
Seasoned Scripter

Registered: 2001-04-10
Posts: 444
Loc: England
Couldnt you use the attrib dos command to hide files, I know RM does this some way using their file protector program, this runs after log on to get around the problem of the registry restrictions, what about disabling the ability to delete the files should this be enough?

Steve
_________________________
Dont worry because a rival imitates you. As long as they follow in your tracks they cant pass you!

Top
#45045 - 2003-09-10 03:26 PM Re: Hiding folders and files using kixtart
Stephen Wintle Offline
Seasoned Scripter

Registered: 2001-04-10
Posts: 444
Loc: England
Also according to the following link, you can stop users from accessing the hidden drives...
Microsoft by using Access Control List (ACL) on an NTFS partition.

Steve

[ 10. September 2003, 15:29: Message edited by: Stephen Wintle ]
_________________________
Dont worry because a rival imitates you. As long as they follow in your tracks they cant pass you!

Top
#45046 - 2003-09-10 03:50 PM Re: Hiding folders and files using kixtart
Richard H. Administrator Offline
Administrator
*****

Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
Depending on what you are after you can have a play with some of the extended permissions.

Try DENY on "list folder contents"

Make sure you understand all the implications of setting this, and try it on less vital areas first until you are confident about the results.

[ 10. September 2003, 15:54: Message edited by: Richard H. ]

Top
#45047 - 2003-09-10 04:04 PM Re: Hiding folders and files using kixtart
Jack Lothian Offline
MM club member
*****

Registered: 1999-10-22
Posts: 1169
Loc: Ottawa,Ontario, Canada
As Jochen states really hiding something on the local drives is difficult. Many MS apps (Paint, WordPad, Office, IE, etc) can bypass system policies. Once these folders are found there are ways to bypass the ACLs or attributes. Why do you wish to do this?

[ 10. September 2003, 16:06: Message edited by: Jack Lothian ]
_________________________
Jack

Top
#45048 - 2003-09-10 04:10 PM Re: Hiding folders and files using kixtart
Richard H. Administrator Offline
Administrator
*****

Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
How do you bypass a "deny"? It takes precedence over "allow" permissions, and is applied at the filesystem level rather than the application level.
Top
#45049 - 2003-09-10 04:33 PM Re: Hiding folders and files using kixtart
Jack Lothian Offline
MM club member
*****

Registered: 1999-10-22
Posts: 1169
Loc: Ottawa,Ontario, Canada
Richard,

You know more about this stuff than than me but couldn't I just remove the setting? There are utilities & procedures available to help me bypass & reset the settings. If worse came to worse I guess I could install a second version of Win2000 & use this version to open up the first version. I done this on NT stations & I understand that this vunerability still exists on Win2000 but was eliminated with WinXP. On WinNT you can even edit the registry of the first version from the second version. I am uncertain if you can do this with Win2000 though.

In addition, the deny setting doesn't exist on Win98 clients.

I think it is important to know why he wishes to do this because there might be a more obvious solution to his problem if we knew what he was trying to achieve.

[ 10. September 2003, 16:43: Message edited by: Jack Lothian ]
_________________________
Jack

Top
#45050 - 2003-09-10 05:08 PM Re: Hiding folders and files using kixtart
Richard H. Administrator Offline
Administrator
*****

Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
Ah, I thought you might have had some sneaky exploit.

If you don't have permissions to change NTFS permissions (a bit circular I know), then no, you cannot remove it.

Win9x as you say don't have NTFS, and local drives cannot be secured in any way without a third party replacement for the file system.

Lord save us from users who are savvy enough to do a second install of W2K and fake admin UIDs to access a slaved partition [Eek!]

Top
#45051 - 2003-09-10 05:18 PM Re: Hiding folders and files using kixtart
Jack Lothian Offline
MM club member
*****

Registered: 1999-10-22
Posts: 1169
Loc: Ottawa,Ontario, Canada
The JSI site offers a lot of tips & ideas concerning NTFS & system permissions. I suspect a 1/2 hour of research on this site would generate the sneaky exploit.
_________________________
Jack

Top
#45052 - 2003-09-11 09:52 AM Re: Hiding folders and files using kixtart
Raj Mann Offline
Fresh Scripter

Registered: 2003-07-02
Posts: 7
Loc: Birmingham
Thanks for your help so far, i work at a school and kids can gain access to the c: drive via 2 ways. They can type 'c:\' within the address bar of explorer and can type 'c:\' in the open window of various ms applications.

If kids can gain access to the c: drive they will delete files and folders. Therefore i was looking at a way how to either hide the contents of c:\ drive or somehow prevent kids from deleting these files and folders.

Top
#45053 - 2003-09-11 10:08 AM Re: Hiding folders and files using kixtart
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
actually, they probably can get to the control panel and c-drive and where ever via one simple click over taskbar.
_________________________
!

download KiXnet

Top
#45054 - 2003-09-11 11:09 AM Re: Hiding folders and files using kixtart
Richard H. Administrator Offline
Administrator
*****

Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
If the machines are Win9x, forget it - there is no security.

If the machines are running an OS with NTFS partitions you can lock down the permissions to that
a) They cannot delete / change files and folders.
b) They cannot browse the contents of folders.
c) They cannot change the permissions to allow them to do "a" or "b".

The process is simple, but long winded:
1) Disable file and folder browsing/deleting/changing to all but administrative staff.
2) Re-enable it on obvious directories - temp, document folders, indvidual system files that need write access etc.
3) Make sure all your applications work, change permissions as you find files / directories which need change/delete/browse access.

Once you have a process which works, script it so you can apply it to all your machines and any new ones that come along.

The simple quick fix if you are running Win2000 or XP is to go to the C: drive properties and set "deny" on "list folder contents" for the group which comprises your students. Replicate the setting down the directory tree, and ensure that the student group does not have permissions to change the setting.

They will now get "access denied" if they attempt to use a GUI browser, and no results if they try to user DOS dir or similar.

Top
#45055 - 2003-09-12 12:14 AM Re: Hiding folders and files using kixtart
Co Offline
MM club member
***

Registered: 2000-11-20
Posts: 1341
Loc: NL
Maybe an idea??

Why don't you use Ghost?

If one of the kids deletes files you can image the drive and in a view minutes everything is OK
_________________________
Co


Top
#45056 - 2003-09-12 12:58 AM Re: Hiding folders and files using kixtart
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
or like I built one machine.
it had 2 partitions another for image and another for the "OS"

machine booted into the image part which loaded it with ghost (took about 5 mins) and rebooted.
this time as the OS was pushed, the boot.ini had the OS boot up.

once the OS booted, it overwrote the boot.ini to boot from the image part.
I liked that [Big Grin]
sadly the load time was little too much...
damn ide-drives.
but otherwise awesome work, even though I say it [Wink]
_________________________
!

download KiXnet

Top
#45057 - 2003-09-11 05:18 PM Re: Hiding folders and files using kixtart
Jack Lothian Offline
MM club member
*****

Registered: 1999-10-22
Posts: 1169
Loc: Ottawa,Ontario, Canada
The most effect way to lock down is to specify the allowable executable files in the registry under [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun].

Richard is over stating the case against Win9x. It can be locked down but it is harder than with Win2000 machines & it in some cases less effective. The problem is Win9x ships with all security turned off by default plus Win9x has extra vulnerabilities in the DOS boot up, MSDOS.sys, etc that Win2000 doesn't.

This issue has been discussed a lot in the past (i.e. locking down win9x) especially a few years ago. Do a forum search on this in the starters & scripts forums & I am sure you will find lots of info.

The problem with a mixed Win2000/Win98 environment is the best & most effecient methods for locking down machines is quite different between the 2 OS. With Win2000 the policy & group policies environment is rich & robust while in Win98 it stinks & the most effective approach is to abandon policies all together & manual control everything from your scripts.

My personal observation is school's are not at all like work environments & most discussions on the web concerning security are irrelevant to schools. In a school security means physically protecting the hardware & software from damage by students. Protecting your network from outside invasions is often a minimal concern or even irrelevant. Also it is impossible to stop students from degrading & damaging both the hardware & software. The number of creative approaches they can find to damage the hardware/system are truly amazing. Even Win2000 labs with bullet proof policies will loss 1 or 2 machines a month.

In this context, a good system rebuild function is an imperative if you really want to keep a lab up & functioning consistently. You need a system which will automatically rebuild the system OS over night. Something like PCRDIST or GhostWalker or SMS (if you can afford it) are vital.
_________________________
Jack

Top
#45058 - 2003-09-11 05:38 PM Re: Hiding folders and files using kixtart
Richard H. Administrator Offline
Administrator
*****

Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
quote:
Richard is over stating the case against Win9x
How do you do set local file system permissions with Win9x?

AFAIK they use the FAT file system and don't have the facility. When I said there is no security I meant it literally.

You can toughen up the initial access security by removing or disabling the diskette drive and CD-ROM drive so they cannot boot from these, and you can change the logon security so they must boot off the network.

However, once they have logged on there is no local file security. If you have Win9x machines you need to accept that you will have to audit them regularly and be prepared to rebuild quickly.

Top
#45059 - 2003-09-11 08:01 PM Re: Hiding folders and files using kixtart
Jack Lothian Offline
MM club member
*****

Registered: 1999-10-22
Posts: 1169
Loc: Ottawa,Ontario, Canada
Richard – a minor rant,

In a school environment you can remove all tools that allow a student to have access to files in protected folders. The best way is to purchase 3rd party security software but you can achieve the same results through the Restrictrun policy plus a removal of problem programs plus disabling of hot keys, plus various system policies, etc. It does work, I have seen it work.

Many schools, libraries & universities (thousands or even 10 of thousands of institutions) have done successfully large scale implementations of Win9x clients & these systems stayed stable & protected for long periods of time. Even today, many such Win9x labs still exist, 8 years after Win9x was released. These environments have undergone an intensive invasive use on a daily basis for close to a decade. The equivalent in a business environment does not exist. Imagine if a significant number of workers made it their primary goal each day to disable the computer on their desk. In the business world the philosophy is the user controls, protects & influences their machine/system to some extent. Whereas in a school, we know that a significant number of users are hostile to the computers. As a consequence, in a school things are done & should be done that would never fly in the business world.

Another perspective, Novell 3/4 had many security features that were ideal for school IT managers. When MS brought out the proprietary ACL/SID security environment with NT, it was a serious backward step for many schools. Things that were easy in Novell were impossible in this new environment. It took years for IT managers in schools to achieve with NT the same level of security achieved with Novell.

Defining “real security” as an ACL/SID environment implies that one must always use MS post-NT clients & servers. Not only can Win9x never be secure but Linux & any other non MS clients or server can never be secure either. In this limited world the only way to be secure is to have an ACL/SID system which is a proprietary MS system which in turn means you can only be secure with MS software. Thus security is something that can only be provided by MS.

Finally, Win2000 in not a panacea for security concerns. Students do things that MS never contemplated & they can be very sophisticated in their attacks. Protecting a Win2000 system in a school is an ongoing battle that you can never fully win. One of my favorite stories is of an elementary school where the IT teacher thought they had an iron tight desktop. Students couldn’t delete files or icons or edit them yet one day the teacher found that icons were disappearing from the desktops. He couldn’t figure out how students were doing it. It turned out the students had discovered that they could hide the icons behind the Start button on the tool bar. This wasn’t easy to do since they first had to move the tool bar than place the icon were the tool bar use to be & then move the tool bar back. These were 11 year olds!

[ 11. September 2003, 20:30: Message edited by: Jack Lothian ]
_________________________
Jack

Top
#45060 - 2003-09-11 08:04 PM Re: Hiding folders and files using kixtart
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
a quickie of locking down via allowable apps.
you want to hide/disable the file exploring.
now, do you disable explorer.exe that is the app that does the job?

IIRC I did that once...
didn't have desired effect [Big Grin]
_________________________
!

download KiXnet

Top
Page 1 of 2 12>


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 373 anonymous users online.
Newest Members
Raoul, Timothy, Jojo67, MaikSimon, kvn317
17875 Registered Users

Generated in 0.097 seconds in which 0.041 seconds were spent on a total of 12 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org