Windows 2k Pro Folder Sharing

[BigDog2k]

I have a user (VP, which should explain why we didn't tell him to shove off) that wants to share his c: drive, but wants to password protect it so that he won't get virus.
He was able to do this in Windows 98, but we are finally moving him up to Windows 2k Pro. From what I can tell Windows 2k Pro doesn't have this feature (which doesn't surprise me, as it is built for business, which stays away from peer-to-per)
Because he is a VP, we can't tell him to stop sharing his c: drive, but he is pretty hot about the password protection. (He wants to block virus from coming in to his computer, but doesn't like virus scanners?!?!?!?!) He knows about the permissions, but wants to have the 2 people that hold the record (40,000, more than our mail server) for the amount of infected files on their computer (through P2P and surfing) to have Full Rights and to put in a password before they can go on his machine. He won't let us dictate that all shared files need to be on a server thought so they are scanned and backed-up (that is another long standing battle)

Does anyone
a: Know if it is possible to do natively in Windows 2k Pro?
b: Recommend any 3rd party software that will do this.

It must password protect a folder via network access, not just local machine access


Thanx

 

[lowtech1]

Originally posted by: BigDog2k
I have a user (VP, which should explain why we didn't tell him to shove off) that wants to share his c: drive, but wants to password protect it so that he won't get virus.
He was able to do this in Windows 98, but we are finally moving him up to Windows 2k Pro. From what I can tell Windows 2k Pro doesn't have this feature (which doesn't surprise me, as it is built for business, which stays away from peer-to-per)
Because he is a VP, we can't tell him to stop sharing his c: drive, but he is pretty hot about the password protection. (He wants to block virus from coming in to his computer, but doesn't like virus scanners?!?!?!?!) He knows about the permissions, but wants to have the 2 people that hold the record (40,000, more than our mail server) for the amount of infected files on their computer (through P2P and surfing) to be have to put in a password before they can go on his machine. He won't let us dictate that all shared files need to be on a server thought so they are scanned and backed-up (that is another long standing battle)

Does anyone
a: Know if it is possible to do natively in Windows 2k Pro?
b: Recommend any 3rd party software that will do this.

It must password protect a folder via network access, not just local machine access


Thanx

Right click the directory (folder) and select sharing...,
then select the General tab and check read-only Atributes and apply to this folder & subfolders/files (this give the share directory with read only permission & no write allow therefore viruses can't write to it),
then select the Sharing tab and mark the radio button share this folder & you may want to give it a share name & number of people that can access it concurently if applicable,
then uncheck allow inheritable permissions from parent to propagate to this object,
then click add to add the appropriate user/s that allow to access the directory.

IMHO, you should get a book on mastering Win2k.

Good luck!

 

[BigDog2k]

I guess I wasn't clear, but they need Full Rights, not just read. If it was that simple, it would have been done already.

BTW, We do have books on Win2k. It isn't in there, so that's why I was asking here!

Thank you for the try, but next time don't include digs when offering hints. It just makes you look bad.

 

[lowtech1]

Originally posted by: BigDog2k
I guess I wasn't clear, but they need Full Rights, not just read. If it was that simple, it would have been done already.

BTW, We do have books on Win2k. It isn't in there, so that's why I was asking here!

Thank you for the try, but next time don't include digs when offering hints. It just makes you look bad.

Ignore the General tab & make sure that the read-only attributes option is not mark if you want to give Full Access to the share (I suggested giving the directory read-only permission as a security reason, but you don't have to use it.)

Under the Sharing tab > click the Permission button > clear all check marks for everyone > click Add button to add the user/s or group/s that you want to have access to the share > check/s the appropriate permissions that you want to give.

There is nothing to wrong to have books for reference.
I still have books on MS DOS 5.0 & 6.22, Win95, Win98, NT4 (3 books), Win2k (4 books), and a glutton of books on Netware 3.12~4.11 & dozens of various Linuxes/Unixes manuals/guides, that has often come in handy as reference. And, then there are more books on networking/security, and various programing languages that I uses for reference or intended to learn when I have more time.

 

[BigDog2k]

Thank you again for all your help this second go around, but the problem stems from the user wanting to give full access to the folder and make them use a password to log in. Will the way you described do both?

I think the problem is that he wants win2k pro to behave in a way it was not originally intended to. It looks like that if you give full access to an account, you have a "trust" in them that the account can do whatever within that folder. If you don't "trust" them, and are afraid that they will load your computer full of viruses, you don't give them write access.

We have tried to explain this to the user in the past, but it is simple addressed with "That's Nice, but I still want to do it this way. I don't care if it was never design to work that way. Figure it out." Then we end up wasting far too much time researching these things because he will never believe our department.

 

[Saltin]

Buy some AV software. The security model in 2k is far superior to 9x.

It's always touchy dealing with superiors/management and thier needs. Here's a little tip;

User's will frequently come to you and tell you they need to be able to do something and then they will tell you how to get it done (very common with upper management).
The trick is to listen only to what they need. Ignore thier ideas regarding how to get it done. It's your job to decide how to achieve the goal, not theirs.

As long as you can come up with a solution that meets the user's end needs, you will quickly find they don't care about how it got done. You can be happy that it got done properly.

So.....
The correct course of action here is to install Antivirus on your network and leverage the superior security model 2k offers.
Forget about "password protected folders", that VP is living in the past.

 

[lowtech1]

Originally posted by: BigDog2k
Thank you again for all your help this second go around, but the problem stems from the user wanting to give full access to the folder and make them use a password to log in. Will the way you described do both?

I think the problem is that he wants win2k pro to behave in a way it was not originally intended to. It looks like that if you give full access to an account, you have a "trust" in them that the account can do whatever within that folder. If you don't "trust" them, and are afraid that they will load your computer full of viruses, you don't give them write access.

We have tried to explain this to the user in the past, but it is simple addressed with "That's Nice, but I still want to do it this way. I don't care if it was never design to work that way. Figure it out." Then we end up wasting far too much time researching these things because he will never believe our department.

Create a user account for the 2 users that you are intended to give access to the share on the DC if you are in a domain environment, other wise create those user account on the machine that have the share (workgroup environment), and give them as much rights as needed then follow my previous post to give them access for network access.

Another method is enable guest account access if to allow everyone access to the public share.

And, like others has mention AV is crucial for what your boss is doing. Also see if your backup software do client backup as well as server, or uses NT backup to back it up to the server then create a rule on the server AV scan to scan the NT backup package prior to backing it up to a master tape.

A batch Copy/Xcopy job if those files aren't active.

Also look into file replication software so you could have a mirror copy of the share directory on your boss hdd.

Good luck!

 

[BigDog2k]

Saltin:
I know that he is living in the past, but unfortunately he refuses to get out of it and has too much power in the company to really fight. Also, Full Access with Password protection are his requirements. Anything else and we would be done already.

Thanx for your advice on how to deal with (l)users, but I handle them fine right now doing just what you suggested. But when you have an exceptional programmer who is a VP that for all purposes runs the company with a huge ego that is barely kept in check, things become a lot more hairy. If you don't do what he says, how he says it, you might as well pack up, because he will make your life h*ll. Add that with the fact that my boss has already told him "Yeah, we can do that." becuase he is afraid to tell him no and now you see that I'm in a bind

lowtech:
Add Users: Already tried that and it didn't work. Guest account won't work either cause it "takes too much time. I don't want them to have to log in with another account. I want them to just enter a password."
AV we already have in place so that isn't an issue, as long as the two (l)user don't shut if off because the VP has told them the password.
Backup software won't work because the VP has setup Zone Alarms to block everything that he doesn't deem ok, which includes the backup software. He won't shut it off because he wants to see who is accessing his machine.

The one thing that we do is ghost his drive once a month when we can get on his computer, but he has filled up about 80gb on his system and we are running out of places for his stuff and he doesn't like the fact that he can't use his system for 2-3 days while it finishes. Never mind the hit our network takes when we kick off the job

I think we have come to the conclusion which I first tried to explain to the VP that Win2k Pro doesn't offer that option because it works on security and trusted relationships. If you don't trust the account to have full access, then you shouldn't give them full access. Why he insists on giving them full rights to his root drive is beyond me, but he controls the purse strings.

I personally have been trying to get rid of all the P2P crap on our network for a long time, but these three hold-outs have enough clout to remain a thorn in our departments side. They refuse to put anything on a server, because it "takes too much time" but are the first ones calling for our heads when we can't retrieve info that they have lost.

Thank you folks for your help, but I think I going to spend some time updating my resume.

 

[ivwshane]

So to me it looks like the real problem would be how to enable a password on the share. Because you should be able to specify the objects (in this case two users) who are allowed to access the share with full permissions and deny everyone else. However I don't see how a password would protect a drive from virus's when the only way a virus would be copied to the share would be through the users whome have access to it. Maybe I'm not understanding something.

 

[Saltin]

Not all the problems you encounter as a support guy / admin are technical in nature. This is a good example of that.
If you have a working AV infrastructure, viruses should be a moot point. You should rely on your AV software to do it's job. If you/he do not rely on it, why are you using it?

I wouldnt treat this as a technical issue. It sounds more political/interpersonal in nature.

 

[lowtech1]

Originally posted by: BigDog2k
Saltin:
I know that he is living in the past, but unfortunately he refuses to get out of it and has too much power in the company to really fight. Also, Full Access with Password protection are his requirements. Anything else and we would be done already.

Thanx for your advice on how to deal with (l)users, but I handle them fine right now doing just what you suggested. But when you have an exceptional programmer who is a VP that for all purposes runs the company with a huge ego that is barely kept in check, things become a lot more hairy. If you don't do what he says, how he says it, you might as well pack up, because he will make your life h*ll. Add that with the fact that my boss has already told him "Yeah, we can do that." becuase he is afraid to tell him no and now you see that I'm in a bind

lowtech:
Add Users: Already tried that and it didn't work. Guest account won't work either cause it "takes too much time. I don't want them to have to log in with another account. I want them to just enter a password."
AV we already have in place so that isn't an issue, as long as the two (l)user don't shut if off because the VP has told them the password.
Backup software won't work because the VP has setup Zone Alarms to block everything that he doesn't deem ok, which includes the backup software. He won't shut it off because he wants to see who is accessing his machine.

The one thing that we do is ghost his drive once a month when we can get on his computer, but he has filled up about 80gb on his system and we are running out of places for his stuff and he doesn't like the fact that he can't use his system for 2-3 days while it finishes. Never mind the hit our network takes when we kick off the job

I think we have come to the conclusion which I first tried to explain to the VP that Win2k Pro doesn't offer that option because it works on security and trusted relationships. If you don't trust the account to have full access, then you shouldn't give them full access. Why he insists on giving them full rights to his root drive is beyond me, but he controls the purse strings.

I personally have been trying to get rid of all the P2P crap on our network for a long time, but these three hold-outs have enough clout to remain a thorn in our departments side. They refuse to put anything on a server, because it "takes too much time" but are the first ones calling for our heads when we can't retrieve info that they have lost.

Thank you folks for your help, but I think I going to spend some time updating my resume.

It is really strange that it is not working.

What environment are you in (domain or workgroup)?

If you are in a domain -- is your Activedirectory/DNS working properly?

Where are these over network users coming from (internal network of from outside)?
You may need to check your firewall rule if they are comming from the outside world.

Can the users ping your boss machine?

Can the users see your boss computer in there network places?

Can the users access your boss machine hidden share, example: \\192.168.1.xxx\c$

What OS are these users use?
You might want to look into turning on WINS & uses NFS if you need to share with Mac/Linux/Unix client, or setup and ftp site for the share.

 

[lowtech1]

Oops!

You can also try to map the VP to the server a share directory and give is something like Z: (and rename the path) and he couldn't tell the difference except that the drive icon isn't the same.

 

[LiLithTecH]

Here is a Third Party option (if just to keep the peace with the VP)

Folder-Guard

 

[BigDog2k]

Saltin:
AV works, as long as the users don't turn it off. They wouldn't normally be able to, but the VP tells the password to the user every time we change it because they all hate the fact that it runs on their computers

Also, he will know the difference between a mapped network drive and a local as the VP is also the head programmer. We have mapped network drives to servers, but they refuse to use them. "It means we have to copy them from our root drive."

lowtech:
<What environment are you in (domain or workgroup)?>
Domain

<If you are in a domain -- is your Activedirectory/DNS working properly?>
No ActiveD yet and the PDC is still NT. We can't update because VP has us running around researching harebrained things like this and blowing our budget

<Where are these over network users coming from (internal network of from outside)?>
Internal

<You may need to check your firewall rule if they are coming from the outside world.>
N/A

<Can the users ping your boss machine?>
Yes and he isn't my boss

<Can the users see your boss computer in there network places?>
Yes

<Can the users access your boss machine hidden share, example: \\192.168.1.xxx\c$>
Yes

<What OS are these users use?>
A mix of win2k and win98 (between the three of them, they have 10 machines, because they "need" all of them)

<You might want to look into turning on WINS & uses NFS if you need to share with Mac/Linux/Unix client, or setup and ftp site for the share.>
We already have WINS running

The issue isn't that they can't see his machine. The issue is that he wants to password protect the share that they can see. The logic he uses is flawed because he wants them to have full access to his root drive because he trusts them not to damage his machine, but he does trust them enough to not get infected because he gives them the latest password to disable our AV

Thanx again

 

[ivwshane]

If you want I will write an email to him explaining how much of an ass he is and why what he wants to do is retarded and goes against any good admins beliefs.

 

[BigDog2k]

ROFLMAO

Thanx for the offer, but I think I will pass until I have something else lined up

 

[lowtech1]

Just tell your VP that the users doesn't need password to get to the share on his local C: partition, because the authentication is already done once a user log into the Domain.
He need not to worry unless the users don't log off every night or have blank password.

 

[mikecel79]

Forget it. We had a guy like that at my place. He called himself a power user, more like a power abuser. If he wants a password protected folder then give him Win98 back and make him happy. Give the Win2k machine to someone that will make money for the company. While he's happily watching BSODs everyone else can be getting work done.

Edit: I forgot this. Password protecting a folder is can not be done natively in Win2k. You need a 3rd party app, and even then I don't know how well they work. My experience has been negative with them.

 

[Xtremetechie]

This is an excellent example of the need for IT dept's to have clearly delineated standards and practices and service level agreements (SLA) in place. These policies should make it real clear to ANY user what they can and more importantly cannot expect from IT. It is critical to establish these policies early on to prevent just this sort of nonsense. Get these policies approved by the Big Boss, whomever is the absolute head of the company, and then any time a "power abuser" says your not fufilling your commitments to he or she, refer him to the "REAL" expectations established by the IT and god, STANDARDS AND PRACTICES.

Good Luck