Is there an easy way to control access to D Drive?

Discussion in 'other anti-malware software' started by justenough, Jan 3, 2014.

Thread Status:
Not open for further replies.
  1. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    I use the D drive for back-up and am moving files on and off it everyday. There aren't any programs that run from that drive. Is there an easy way to control what has access to that drive while still being able to conveniently use it?
     
  2. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    I control access to such drives with AppGuard.

    dja2k
     
  3. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    If the drive is NTFS formatted, you can set file permissions to control access. You could set it for just one user and deny access to all others. You could also encrypt the drive and have access password controlled. There are numerous ways and software programs to do this.
     
  4. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    I should have also said that no one else has access to this computer, so it is malware spreading on its own to D drive that I want to prevent. I make sure files are safe before moving them there myself.

    dja2k last night I asked in the AppGuard thread how to set this up using AppGuard and was told to "set D:\ to Deny Access in Guarded Apps \ Folders and it will only apply to Guarded Apps with Privacy On." Is this what you do?
     
  5. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    I would add it to AppGuard's user space protection (deny execute), for people not having AppGuard one could use NTFS permission as stated by MisterB. I have done the same for my download folder (to add a second deny execute layer on top of SRP deny basic user, so even Admin is not allowed to execute from download folder :D )
     

    Attached Files:

    Last edited: Jan 4, 2014
  6. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    If you are only concerned about malware, setting the folder with Deny Access in AppGuard is enough. On medium protection level, anything launched from user space will run with Privacy On by default and can't access D:\ in that case. Yet that malware will only be able to run if it has a digital signature. Without one, AppGuard will block its launch right away. On Locked Down nothing can launch from user space unless it's manually added to the Guarded Apps list.

    Non-system volumes are part of user space by default.
     
  7. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    A quick way to set the NTFS permissions is to remove all users and groups from the volume except "everyone" and set everyone's permissions to read, write, and delete and set "traverse folder/execute file" to deny. That should make the volume just read write with no execute privileges even to administrators.
     
  8. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    I have set AppGuard to "Locked Down" for now until I can figure out Mister B's NTFS method.

    In Windows 7 I'm not seeing a choice for "everyone" in the D:\ Properties Security window. There's Authenticated Users, System, Administrators, and Users. What should I choose?
     
  9. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    Only add a deny for Everyone, that is enough, see pic
     

    Attached Files:

  10. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    Thank you for doing that Kees, very much appreciated. Do I need to remove any of the other other names in Group or user names, or does the 'Everyone' setting apply to all of them now?

    Following the steps, I've been able to move files to and from D drive. I'm playing a music file that's on D drive with a media program on C drive. So it looks like read and write are still functioning. Even so, this setting will prevent a malware program from getting on its own into D drive?

    After doing the 'Everyone' settings and clicking OK, Windows went through a batch of files I assume changing the settings to deny on 'transverse folder/execute file'. The names of the files were going by fast but it looked like all or mainly in a flight sim program that I used to run from D drive. Any idea if I move that folder from D to C drive the settings on those files will have to be reset?
     
  11. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    Sorry I thought you wanted to block only execution. Well, there are levels of paranoia :D , but try to copy a portable executable to your D drive, it won't execute. Have you added your D drive as private folder for guarded apps in ApGuard (this will block even read access).

    When you copy a file, it will normally gets the default access rights and then inherits the rights of the folder you copy it in. When you cut and paste I think NTFS keeps the original ACL (access control list), you can easily check that with a portable executable (copy it in D:/ then cut and paste it to another directory in C, when it executes the ACL is reset, when it is blocked it still has the deny execute of D:\).

    On Data partitions, normally only "Authenticated Users", Administrators and System have access rights. When you want to prevent write access you can change access of "Authenticated Users" to read as shown in the picture. When you want to copy something to D, you will be asked to elevate (UAC prompt). This allowing Admins full access and other users read access is sufficient (to prevent lockout check that Administrators group has full access)
     

    Attached Files:

    Last edited: Jan 4, 2014
  12. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    You are right have not tried V4, ran V3 a long time ago. In AppGuard (I think it was 2.2 or 2.3 only User Documents of C were automatically added).
     
  13. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    Rather than paranoia it's probably just not knowing what I'm doing or knowing what level of lock-down is needed and how to do it. I figured since D:\ is used just for storing files and no execution, it makes sense to set it up to keep it off limits from malware. In other words so that the only way something can get on D:\ is if I move it there.

    I'll do the checks you suggested and read more online about file and folder restrictions, and about how AppGuard can be used this way.
     
  14. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    I set my data partition to read/write for users and full access for administrators and system. The system/administrator access is because I set the page file and temp/tmp environment variables on the D drive as well. UAC adds another level on top of this and it won't let me run anything until it's copied to the C: partition, even as an administrator. I share data partitions between XP, Vista and 7 on multiboot systems and can see how it works in different systems with the same NTFS permissions. The basic goal is to keep executable binaries from executing on partitions where data is copied from outside sources and keeping the system and program areas locked down so no unvetted executables can get copied there or existing software modified.

    On external removable drives formatted with NTFS, I just use everyone with read/write/delete permissions because it's simpler and there is no need for administrator or system access.

    NTFS permissions are really complicated with numerous users, groups and possible permission schemes. I try to keep it simple by reducing groups to a minimum with the important ones administrators, users and system. Everyone is also good for data volumes with no background system use.
     
  15. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    I've been using AppGuard since v1.3 and non-system partitions have always been part of user space. They are not mentioned in the User Space tab though, which is a potential source of confusion. This was discussed here: https://www.wilderssecurity.com/showpost.php?p=2307517&postcount=281
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    If volume D is using NTFS, then I suggest allowing "Full control" for Administrators and System. Allow Users group "Read & execute," "List folder contents," and "Read." Any other groups or users should have their access entries removed. Assuming you're using UAC, then when you want to copy files to volume D, run your file manager (such as Q-Dir) as admin. By doing this, only programs (including malware) that have admin permissions can alter volume D.

    I use a close variation of this access scheme on my computer for the Backups folder on my internal drive.
     
    Last edited: Jan 5, 2014
  17. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    The concept behind AppGuard is the complete protection of system space, not user space. This is done in two ways: -

    1. User space executables are either prevented from running or run guarded, depending on AppGuard configuration.
    2. Guarded applications are not allowed write access to system space folders and certain key parts of the registry.
    Configuring AppGuard to prevent guarded applications from writing to a data partition would prevent many of those applications from fulfilling their purpose of creating and updating data files. AppGuard isn't designed to prevent all writing of files containing malicious code to user space, but it will prevent the code from running and causing harm to the system. This buys time until your AV identifies and removes the files (either in real-time or by on-demand scanning).

    If you want to go further than this, you need to use the inbuilt features of the operating system to control access to the data partition.
     
    Last edited: Jan 5, 2014
  18. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    I set up my C: drive that way. My D: drive is for holding data that I need to access and modify and the access is read/write no execute. No need to be an administrator to copy data just to execute files on it.
     
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I'm assuming justenough wants to prevent malware from modifying any files on volume D. Malware in a user account can do whatever the user account has permissions to do. The scheme I proposed (and use) prevents any malware from writing to any file on volume D, unless the malware has admin permissions, in which case it's "game over" anyway, right?
     
  20. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    Thank you pegr for that overview of what AppGuard can and can't do for protecting drives and I assume folders in general. As always, I had no idea at the start how much I was unclear about.
     
  21. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    You assume correctly.

    I've just installed Q-Dir, I like how it looks, simple and versatile.

    I'll try following your instructions a couple of posts up. If you get a chance could you post a screen-shot of where you enter your settings and what they are? So with these settings a UAC alert will pop up if malware tries to go into D drive?
     
    Last edited: Jan 5, 2014
  22. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From http://technet.microsoft.com/en-us/library/bb727008.aspx:
    Yours for volume D:\ should look similar to this when you click "Advanced" button and then "Change Permissions" button:
    Perm.png

    When you get this far, put a check in checkbox "Replace all child object permissions..." and then click "OK" button. It won't stay checked after you're done, but that's expected.
     
    Last edited: Jan 5, 2014
  23. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    With these settings, when any program (including malware) that doesn't have admin permissions tries to alter anything on volume D, you should get a UAC prompt (assuming you have UAC on).

    With these settings, when any program (including malware) that has admin permissions tries to alter anything on volume D, you won't get a UAC prompt.
     
  24. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    I think your approach and analysis is bang on correct :thumb:
     
  25. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thanks :). I use a very similar access scheme for my Backups folder on my internal drive, so I know that it works :D.
     
Loading...
Thread Status:
Not open for further replies.