Protecting networked computers |
|
Protecting networked computers |
|
Folder Guard can be used to extend the built-in security and access control capabilities of Windows networking. For example:
Below we use the following terms:
Note that our use of these terms (server and client) does not mean that you must have a client-server type of the network in order to use Folder Guard on it. Even if your computers are connected into a simple peer-to-peer network, any pair of the computers may be considered as the client-server pair. For example, if you share a folder located on your computer, and a user of some other computer attempts to open a document from your shared folder, then in this situation your computer is the server, and that other computer is the client. If, on the other hand, you are trying to open a document located in a shared folder on another computer, then your computer is the client, and that other computer is the server.
Although Windows networking lets you set up access rights to the shared folders, you can use Folder Guard for a greater flexibility of such control. For example, on a peer-to-peer network, if you use Windows networking to share one of your local folders and allow access to it for other network users, all files and subfolders of such a folder will be accessible to the network users as well. With Folder Guard, however, you can make some of the subfolders not accessible and/or not visible to other network users, thus letting them see and/or open only the documents that you want them to.
You can use Folder Guard to control access to and visibility of the shared folders in the same way as with the local folders, by assigning the desired attributes to such files and folders, for different user accounts, just like you would do it on a stand-alone computer with multiple user accounts. You should remember, however, that if you set up a restriction to the folder other than the original restriction set up with the built-in Windows networking, then the stronger of the two restrictions would be use by Windows as the result. For example, if you have shared a folder with the read-only access, and then used Folder Guard to apply the full access attribute to such a folder, the folder will remain read-only. If, however, you assign the no access attribute to it with Folder Guard, the folder will become not accessible. (This is because the no access restriction is stronger than read-only, which in turn is stronger than full access).
Note also that Folder Guard does not currently support unlocking the folders over the network: if you protect a shared folder with an unlocking password, you must login to the server locally (or via a remote administration tool) to be able to enter the unlocking password on the server and unlock access to the folder. If someone attempts to open the protected folder via the network, such a user would simply be denied access to the folder, the password prompt will NOT be displayed to such a user.
You can choose to install Folder Guard directly on the server if you want to set up user-specific restrictions for the network users. However, Folder Guard does not currently support Active Directory or user groups, only the local user accounts existing on the server can be used. To specify the protection settings for the network users, first add the user names to the User List of Folder Guard, and then assign the desired protection attributes to the files and folders for each such user. These attributes will determine how the files should be restricted and/or visible to the network users connecting to the server.
Note that your network can be configured in a way that may complicate the configuration of Folder Guard, or make it appear not to protect the computer according to your settings. For example, if you have configured your computer to use the Simple file sharing protocol (if you use Windows XP Home edition, this is the only option available, you cannot turn it off!), then any user accessing your computer over the network will appear as if it were the Guest user. In such a situation, you would not be able to set up different folder restrictions for different users, you would be able to create restrictions for the Guest account only, which would apply to all networked users.
If you have disabled the Simple file sharing protocol, but the networked users are still authenticated as the Guest user, run the Start - Computer Management - Local Security Policy command, navigate to the Local Policies - Security Options list, find the Network access: Sharing and security model for local accounts policy, and set it to Classic - local users authenticate as themselves.
Note that your network can be configured so that Windows would use a separate COMPUTER$ account (where COMPUTER is replaced with the actual name of the computer; for example, if the name of the server FILESERVER1, the name of this special account would be FILESERVER1$) for the network users connecting to the server. When such configuration is used, you should set up the appropriate visibility attributes of the folders for the user name COMPUTER$ (again, replace COMPUTER with the actual name of the server). Please contact your server administrator for information whether this situation applies to your network.
Note also that due to the internal design of the Windows NT-based versions of Windows, it is currently not possible to set up the user-specific restrictions of the visibility of the folders and files over the network. It is so because Windows does not use the original user account when browsing the folders over the network; instead, it uses the built-in SYSTEM account to do that. (The access attributes are still used on the user-by-user basis, provided that the conditions described above are met.) This means, for example, that you cannot hide a shared folder from some network users and allow other network users to see that folder at the same time; you can only hide a folder from all network users or from no one. As a workaround, you may want not to restrict the visibility of the folders from the networked users, but set up the user-specific access restrictions instead. This way, even though the users would be able to see the restricted folders over the network, they would not be able to open them.
You may need to configure the protection of the server in such a way that only the network users would be restricted from accessing the server's files and folders, but any user logged in to the server locally, or any program running on the server as a service, would be exempt from the restrictions. To set up such protection, you can use the fact that when a user is accessing the server via the network, the server is seeing such access as if it were coming from a program named SYSTEM. (This is true no matter what program the user is actually using on the workstation, it can be Internet Explorer, or a database client, or any other program - all such programs appear as SYSTEM to the server). You can use this fact to configure Folder Guard to apply its restrictions only to the SYSTEM program, and that would make them apply only to the network users only.
To set up such protection, use the Trusted Programs dialog box to enable the All programs are trusted except the listed ones option, and make the list contain only one program name: SYSTEM. This way, all programs running on the server locally will be treated by Folder Guard as the trusted programs, and no restrictions would apply to them. If, however, a user is accessing the server via the network (that is, via the SYSTEM program), that would make Folder Guard to apply its restrictions to such a user.
An alternative way of protecting network resources with Folder Guard is installing it directly on the client computers (rather than on the servers), and restricting the client computers themselves. To use Folder Guard in this way, first you should map the shared folders to local drive letters on the client computers, because Folder Guard cannot currently protect network folders without drive letters associated with them. After the drive letters for the shared folders are set up, run Folder Guard and assign the desired access and visibility attributes to the files and folders located on the network drives. You can set up the unlocking passwords for the folders on the network drives, too. After you have restricted access to the shared folders through the drive letters, Folder Guard will restrict access to them even if the user uses the UNC paths to open or browse the documents located in the shared folders.
The advantage of this method of protecting access to the shared folders is that all features of Folder Guard that are available for the local drives can be used with the network drives, as well. For instance, you could protect the folders on the network drives with the unlocking passwords, and the users of the client computers would be able to unlock the folders for their use by entering the appropriate passwords. The user-specific restrictions would work even if the Simple file sharing protocol were enabled on the client computer. The disadvantage of this approach, however, is that only the client computers that have Folder Guard installed and configured on them would be restricted from accessing the shared folders of the server. If someone connects to your network from a computer without Folder Guard installed on it, such user would not be restricted from accessing the shared folders. In such a case you should install Folder Guard on the server as well and set up the user-specific restrictions so that only the known users would be allowed to access the shared folder.
In such a case the restrictions set up on the server take precedence over the restrictions existing on the client computers. For example, if the server is configured so that the user Jim is not allowed to access the shared folder, then even if Folder Guard on the Jim's computer is configured to allow such access, Jim would not still be able to access the shared folder.
Another rule that applies to such a situation is that the restricting attributes take precedence over permissive ones. For example, if Folder Guard on the server is configured to allow access for the user Jim, but Folder Guard on the Jim's computer is configured to deny such access, Jim would not be able to access the shared folder. Only if Jim connects to the server from another computer that does not have Folder Guard configured to deny such access, only then Jim would be able to access the shared folder on the server.
If you plan on protecting a large number of computers with Folder Guard, you may want to order the Folder Guard Administrator's Kit, that contains the tools to help you automate the installation and licensing of Folder Guard on a large network.
Copyright © 2010,
WinAbility® Software Corporation.
All rights reserved.