How to configure to protect folders ?

Hi All,
I recently found a sofware System Protect. See features here :system-protect.com - This website is for sale! - system protect Resources and Information.
I would be really thankful if any body here would tell me how to protect our important folders from being deleted (by our kids, or even by your own mistake :))

Please don’t tell to hide the folders / drives.
I don’t want to install too many softwares since it will make my system slow. So I am looking forward if CIS can do that or not.

Thanks

which verision of windows do you have ? If you have pro/ultimate then Windows has it the ability to protect files that you want to protect. Otherwise I recommend comodo backup to back important files with a password and in zip format. I use it myself and I find it very very good and stable.

Regards,
Valentin N

Do you mean that with CIS we can’t achieve that folder feature ?
I am having Windows XP Pro (NTFS). Would you please tell me how to protect important folders in XP.

Since I don’t use xp I have to look for info. One thing I know is Bit encryptor or what ever it’s called. I will also ask JoWa that has xp.

I have also look in CIS a bit and you can add file/folder to protect and this how you add it CIS —> D+ —> Computer Security Policy —> Protected file and folder —> add

I hope this helps :slight_smile:

Take care

Regards,
Valentin N

Dear Valentin ,

This does not works. I am able to delete it from context menu. The developer’s have given the option to protect important files/ folders.
CIS —> D+ —> Computer Security Policy —> Protected file and folder —> add
Then why it is not working ??? Is this a bug of CIS.

you last question is beyond my knowledge but I know that CIS is not interfering when a user takes a decision which allows anyone on your accont to delete things. So the answer to you question would be no but I might be wrong.

Here is a useful link

Please await for better and more accurate answer if the link above is insufficient.

Regards,
Valentin N

I don’t believe CIS can protect actual users on a computer from manually deleting files. Putting a folder in a protected folder will prevent any unknown program from accessing it in any way without your express permission. However, it won’t protect the folder from

I hope that answers your question. CIS alone can’t do that, so password protecting the folders or installing other software would probably be the way to go.

CIS is the nanny of program behaviour. It is not the nanny of user behaviour; in short it allows the user to do stupid things.

XP provides CACLS which can be used via CMD.EXE to modify access permissions.

With Admin privilege I have enabled non-admin users to delete/modify/create files in folders where the standard default only allowed READ and Execute.
I can prohibit or enable any action on any folder that I have access to.

I think I can even block my own access, but do not know if I could then unblock it other than by restoring my disk partition image.

Alan

??? Alan. What does all the above mean? That’s too technical for me.

Hit Windows “Start” and in the RUN box enter CMD.EXE to launch a “DOS Window”
On the command line type
CACLS /?
That lists lots of options, and gives headaches when trying to understand them ! !

By default NTFS folders have various restrictions.
If the children have profiles with Admin authority they can do anything that Dad can do.
So long as they are only users without Admin authority they cannot install or remove any software, other than within their own private profile.
They should be unable to alter C:\Program Files
e.g.


C:\Documents and Settings\Dad>CACLS "C:\program files\"
C:\Program Files BUILTIN\Users:R
                 BUILTIN\Users:(OI)(CI)(IO)(special access:)
                                           GENERIC_READ
                                           GENERIC_EXECUTE

                 BUILTIN\Administrators:F
                 BUILTIN\Administrators:(OI)(CI)(IO)F
                 NT AUTHORITY\SYSTEM:F
                 NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
                 BUILTIN\Administrators:F
                 CREATOR OWNER:(OI)(CI)(IO)F

The above indicates by the trailing “F” that almost everyone has FULL authority over all files and folders,
with the exception that “BUILTIN\Users” can only do GENERIC_READ and GENERIC_EXECUTE,
and there are 19 additional elements of control that they are blocked form, including DELETE.

Any “important files and folders” should be on NTFS partitions with restricted USER rights.
If not then either shift them to a “normal” region that DOES restrict users, or use something like CACLS to restrict the kids.

You may be able to reduce your own Admin rights to limit accidental deletion by yourself, but you may “paint yourself into a corner”.

When I moved my Portable Applications from a FAT32 partition to NTFS they all worked the same - for me.
Suddenly no joy for my daughter.
When she ran an application if initialized by reading from an *ini file as before,
but when she altered her preferred options XP blocked any update to the *.ini file.

I gave her full control via the DOS command

CACLS "H:\Utils" /T /C /E /P Users:F

which changed her access from

         BUILTIN\Users:(OI)(CI)(IO)(special access:)
                                   GENERIC_READ
                                   GENERIC_EXECUTE

to

         BUILTIN\Users:(OI)(CI)F

I have learnt enough to give my daughter extra control.
To restrict control is also possible, but I have not tried.
I suggest looking at Microsoft documentation on CACLS,
or the easier way might be to Google.

And VERY IMPORTANT SUGGESTION :-
create a spare folder structure X\Y
then change directory to X
and experiment with "CACLS “Y”.
If you blunder and finish up with a rock solid “Y” that you cannot access and cannot delete,
you can still access “X” and you MAY be able to rename/remove “X” together with its subfolder “Y”.

Finally, it should be feasible to avoid any need for CACLS if the “important” stuff is placed where NTFS restrictions prevent damage by children.

Alan

This can be done with Windows access control

To make a folder and everything in it undeleteable by all users and all programs:

Right-click on a folder, click properties, choose the Security Tab, Click “Advanced”
Click “Change Permissions” Click “Add”,

Put “Everyone” in the pop-up and click “OK”
(Or preferably put a specific user or group that you want to deny)

You are now on a dialog that allows you to allow/deny specific permissions to your folder.
Make sure you apply to “This folder, subfolders and files” and check the “Apply these permission to objects…” at the bottom.

Check the Box for the Deny Column and the Delete Row.

Click OK all the way out.

Note that deny takes precedence over allow. If you deny yourself the right to change attributes, you will lock yourself out of these files (except by running a linux “Live CD” with NTFS write access). If you deny system programs rights to system files, your system might become unusable.

Note that this will still allow a malicious user to destroy the content of the file by a) writing an empty stream into it. To prevent that you will also have to deny “create files / write data.” That may or may not be practical. Or by b) changing the permissions and then deleting the file normally. If you deny write access to attributes to prevent that, be sure not to lock yourself out.