You're trying to do WHAT with my Files?! No thanks.

[firecracker6]

Hi All, is there a free and/or opensource program for Windows XP that performs the following:

• ~ Prevents folders (and the contents within) from deletion and move operations (dont care about copy/paste, etc.)
  
  
• ~ Either brings up a "Operation Denied" window if attempted, or a "Password to complete" dialog (however, this is not as important)
  
  
• ~ Program can reside in the systray but needs to be Password Protected to access program (thus preventing modification of the rules.)
  

The closest program I can find is fsLock: http://www.fslock.co.uk/index.htm.

Please suggest good alternatives.

EDIT: I found this app: http://www.softpedia.com/get/File-managers...Preventer.shtml

but the only rating it got was a 1 star by 1 person who didn't leave a review. There's got to be more tried and true apps out there that does this..

[Phoshi]

Yes, it's called Vista's UAC.

I'm afraid it's just something with XP, the only way to do it would be a one size fits all password protection.

The UAC is built into the base kernel, so... Good luck finding anything.

[SirSmiley]

You can do it through XP Professional Security Policy.

I have a tab on every file & folder that let's me control the settings from an admin account. Even when I'm in my normal secondary Admin account I disable full control on certain folders allowing just read/write.

[Phoshi]

It's in the kernal, I'm still right!

<_<;;;

[SirSmiley]

Yes, yes you're right...is that good? j/k

Everything else really isn't true security. There's a service based app I tried a while back but, running an additional 20 Mb's for something that could be done with a little bit of elbow grease was better.

Maybe this could be scripted via WMI or AHK?

It sounds like you're looking for some sort of stop gap for either a misplaced keystroke/mouse gesture or have an idiot in the house.

[Phoshi]

Haha, being right is ALWAYS good!

Anyway, yeah, unless your protection is actually down at the lowest levels, it'll only ever be false security, or really play havoc with your programs.

I'd suggest either XP pro there, or Visty, both of which are great OSs.

[firecracker6]

It sounds like you're looking for some sort of stop gap for either a misplaced keystroke/mouse gesture or have an idiot in the house.

hhaha.. you hit it on the head. this is just to mitigate casual accidental keystrokes, mouse gestures and idiot quotient reductions. The problem relates to having a NAS drive that has a non-NTFS file system which doesn't put deleted files into the recycle bin rather, deletes them. Also, run the risk of accidentally moving a directory into another one with a simple mouse drag oops.

I've usually left simple file sharing ON and so don't really have much confidence modifying those settings. Are there any notable adverse affects to watch out for when turning off simple file sharing?

If I am logged in as an Administrator in XP SP2/3 and turn off simple file sharing, what do I have to set the permissions to in the security settings window tab to achieve the following:

~ Folder (and contents) cannot be deleted or moved. However, can be viewed/accessd/Copied.

Could you possibly post a screenshot of your settings window with the proper config for the above? (with the appropriate "blurred out" for security performed of course)

[SirSmiley]

Not one of my configured folders as I'm in a different account.

It's fairly straight forward.

1. Select the Security Tab & click advanced button at bottom

2. In Advanced Settings window click the Permissions Tab

3. Select the Account Name in Permission Entries List & Click Edit.

4. In permission entry window choose what settings to allow or deny.

- I don't usually change allow settings because these are inherited either way.

- Make sure to check apply only to the specific file/folder object otherwise it will apply

these settings globally.

5. Close all the windows by hitting okay.

By sirsmiley

[bobsobol]

Indeed. Setting the appropriate ACLs for the folder is the "correct" solution. However, ACLs are stored only on NTFS drives. Leopard (and maybe Tiger?) have ACLs but their implementation is not compatible with Windows, or vise vesa AFAIK.

In Unix the appropriate action is to set mode +r -w +x on the directory for the GID who uses the shares, but allow +r +w for the owner / administrators group, and ensure that the files / directories are owned by "root".

Something like "chmod 775"

The problem is that NAS drives are essentially a mini PC with a simple file server software installed in ROM and a formatted hard drive attached. Most will have some understanding of Unix file permissions, because these are also the permissions set in FTP. ACLs are a Cisco invention MS / IBM took for the NTFS (originally OS/2 HPFS), and as you can see they are far more comprehensive than usual Unix permissions. And therefore much more confusing.

Anything you install on your PC is just stopping you from being a dumba...hahaha. Not ensuring the security of the file server on the NAS. But if that's what you are looking for, some patch to the Windows API to get a file handle, then another to monitor that handle for modification by Write or Delete APIs, and require an authentication.

It's a lot of effort to go to for idiot proofing. And Windows has enough annoying "Are you sure you want to..." messages as it is.

Windows defaults to "Are you sure you want to Delete this file/folder" and a similar, yet different popup for "Move this file/folder to the Recycle Bin", personally I never see the latter as I always set the bin to delete immediately. I never throw stuff away that I might want to get at later.

It's common on Hot Desk Domain Servers not to have a bin. If you had one, anything you threw away on a particular workstation, would not only be accessible only on that workstation (and you'd have to remember where you threw the file away) but may also be accessible to ANYONE who logged in to that workstation.

Noting that the MsgBox is different for trashing to deleting, you could use AutoIt or AHK script to look out for the dangerous one, and lock up the keyboard and mouse for a couple of seconds and play a klaxon sound fe. That should get your attention.

I would suggest removing the Recycle Bin from the desktop, and replacing it with a Widget to move anything dropped to it to a (compressed?) folder in a safe location. Maybe on the NAS. Give the widget a Trash Can like Icon.

Accidentally drag-dropping folders into each other is an occupational hazard. The best way to avoid this, is to use the keyboard, not the mouse to manage your filesystem. PowerShell or Bash are excellent at this. Luckily, the search features in Vista and Tiger OS make locating missing folders pretty easy. If you're still on XP get Windows Desktop Search or Google Desktop Search. GNU "whereis" is pretty good, and

DIR /s /a:d /b

is always a good fall back.

Hope some of these ideas are of use.

[bobsobol]

Oh. BTW, I'm not good at grep either, but if you redirect the output of DIR to a file you can then open that in Notepad, Excel, Open Office Calc or anything else that can read a text file, and search the output for what you want. The full path is listed so then you know where it's ended up.

Wildcards in the DIR may be sufficient, but sometimes the search may take a two phase approach.

I've used this many times in our Domain at work when users have accidentally "lost" something in a structure they are supposed to maintain. It's low tech but it works.

[Phoshi]

Wow, have to try that.

GDS is my search of choice, I don't care that vista has it's own.

Vista's was made by microsoft, that means it's slower, and doesn't search everywhere, like in system32.

[firecracker6]

@ SirSmiley, thanks, you've begun my journey down the new and exciting world of permissions mgt for windows; my girlfriend's gonna love the competition for time But I suspect she'll win in the end

bobsobol kinda delved into what i'm trying to accomplish. I probably need something that resides on top of windows and prevents certain executions from taking place on files/folders in a manner that covers casual security, as opposed to bulletproof security.

I've thought about a roundabout method, something like this:

Use truecrypt, to create an encrypted volume. put all my files, let just say.. my 'pron' library within. Mount the encrypted volume as read-only. Assign it a drive letter, map the drive, then hide the drive letter of the original volume. Make some quick login shortcuts or have the encripted volume auto mount with windows, etc.

It's a bit of work up front but would be rather smooth sailing once configured.

@ bobsobol, some of your suggestions are good but unfortunately, the measures of security were more for friends/family, people that inevitably ask to use the computer rather than myself. Also, I don't remember there being a confirmation dialog to confirm a delete when hitting the 'delete' button on the keyboard, when within the NAS's directories. I think this was what bothered me enough to look around.

ps. thanks SirSmiley and bobsobol for the informative posts!

[bobsobol]

Attached is a screenshot of my machine browsing my wifes (file and folder names blurred for her privacy) where I created a "New Folder" accepted the default name, selected it and tapped "Del". This has been the same since Win95, but there has always been a registry tweak to disable it, which at one time, IMS, was in the list of tick boxes for Folder Options.

The exact text of the dialog has changed over various Windows incarnations, and ofc if varies with your localisation of Windows. But it's always there.

The other problem (and the reason these dialogs are only useful as annoyance) is that the default is "Yes" and anyone who uses Explorer much just taps "Del" followed by "Return" pretty rapidly without even reading the dialog.

You'd need to get the text for your install of Windows right if you were to make an AutoIt or AHK blocker.

Here's a AutoIt example:-

While 1
	While Not WinExists("Delete Folder", "Are you sure you want to") and Not WinExists("Delete File", "Are you sure you want to")
		Sleep 20; Don't kill the CPU
	WEnd; Nothing interesting, just keep monitoring

	If WinExists("Delete Folder")
		WinActivate("Delete Folder"); Make sure keypress goes to the right place
	Else; Must be Delete File
		WinActivate("Delete File")
	ElseIf
	Send("{ESC}")
	MsgBox(0,"Delete Denied","Removing files and folders is disabled!")
WEnd; Keep doing it even after the first time.

Of course, you will want to hide the icon in the system tray, add some passworded means of turning it off for your self, (I'd suggest a HotKey or something) or you could just password the account you use, make other people log-in on a guests account and only run your monitor script in the guests login.

NOTE: Windows has a "guest" account which is disabled for good reason, so call yours something else... Notme or Anonymous or Others or Friends or so.

The DriveCrypt idea is quite nice, I like it. Don't encrypt your pr0n though, the gf won't appreciate that. Just pop it in a folder called "Hot Chix", "T&A" or "Boobies" and she'll know exactly what it is and either leave well enough alone or curse herself for looking not you for hiding it. If it's hidden she'll assume it must be kiddie fiddling or snuff flix and wonder what kind of sicko shes dating. Whatever she wonders it will be at least 3 times worse than the truth. Don't go there. She won't understand the pr0n, but she won't hate you for that like she'll hate you for keeping it secret. At least in my experience, but you know your own better than I do.

In any case, you can mount ISOs, or HD images that aren't encrypted if you don't care who reads it, the problem is that encryption or not if they find the image file and delete that the fact that the mount is read only won't make a hapeth of difference.

Is that too British? (Hapeth, Hapennie, Half a Pennie... pronounced "Hey-peth")

Anyway, DriveCrypt is good at stopping people who want to read files you have that you'd rather they didn't. It's no good at stopping people who don't give a stuff about your data from deleting or corrupting it.

If your machine is the only one which attaches to the NAS, why is the NAS not just a second Hard Drive in your PC? As anything you do to your OS won't affect anyone who pops over with a WiFi Laptop and accesses the NAS.

For this reason, again if the NAS supports NTFS ACLs (Access control lists, as SirSmiley illustrated) then use them, they are the ultimate defense, and my primary reason for switching to NT based OS from 9x way before most people.

[firecracker6]

The DriveCrypt idea is quite nice, I like it. Don't encrypt your pr0n though, the gf won't appreciate that. Just pop it in a folder called "Hot Chix", "T&A" or "Boobies" and she'll know exactly what it is and either leave well enough alone or curse herself for looking not you for hiding it. If it's hidden she'll assume it must be kiddie fiddling or snuff flix and wonder what kind of sicko shes dating. Whatever she wonders it will be at least 3 times worse than the truth. Don't go there. She won't understand the pr0n, but she won't hate you for that like she'll hate you for keeping it secret. At least in my experience, but you know your own better than I do.

hha.. I must say I've been thoroughly enjoying your posts here abouts bobsobol. You're a riot! But I have a feeling you're not reading ppl's posts carefully enough when responding. Not a big deal but it'll make your lengthy contributions more meaningful when applied properly.

Use truecrypt, to create an encrypted volume. put all my files, let just say.. my 'pron' library within. Mount the encrypted volume as read-only. Assign it a drive letter, map the drive, then hide the drive letter of the original volume. Make some quick login shortcuts or have the encripted volume auto mount with windows, etc.

Again, my purpose in this is to prevent casual/accidental, non-malicious deletions and moves, so the above method of hiding (from windows) the partition containing the encrypted volume would suffice in preventing an accidental delete. If they can't click/select it, they can't delete it. The encryption part is just a side effect to the goal of 'securing.' The method I described above would allow people (including my girlfriend,) access to the files freely (thus mitigating the encryption, which is ok,) and in addition, would create a read-only environment, thus providing an answer to my 'problem.'

By the way, I enjoyed your reasoned advice on the relationship front, fun stuff. The prOn reference was just a joke, but my gf is one of those rare ones that enjoys watching and is more entertained than turned off by it, so you're right, she probably would be offended that I'd encrypt the 'collection.' ..lol

Oh, and thanks for the code snippet. Eventually, I'd like to get into using AHK.

[bobsobol]

Hmm. You mean TrueCrypt / DriveCrypt? Same thing. But I do apologies for the mixed metaphor.

You understood the gist anyway, the encryption is beside the point, it's making it harder to access the volume that's the interesting part for you.

I'd recommend ImDisk http://www.ltr-data.se/opencode.html

If there is something else I'm missing or misunderstanding I'm afraid after re-reading I still can't see it.

[devrexster]

@firecracker

I use LockFolderXP to hide my porn folder thus preventing any access to it . It sits in the tray and u can just toggle the protection by entering the password . Quite the thing u were looking for ...

However , it is shareware . I use the *cough* full version And its good for my needs

[bobsobol]

That's a good simple low-tech solution I've seen before, in many guises. They typically work well for explorer based interaction, but fall over if your guests have access to the command prompt or alternative file managers such as Fileman.exe, Total Commander etc.

But it gives me a good idea.

ADS (Alternative Data Streams) never show up in either explorer or cmd.exe. Therefor you could attach your filesystem image (from ImDisk, DriveCrypt, TrueCrypt etc) to "C:Windows:hidden.img" or such. That would make the image file (containing all your "pr0n" or whatever) very difficult to remove without a rootkit / malware removal program which looks for and removes ADS's.

As I say, my main concern with mounting a filesystem stored in an image file, is that if you find the image file, it usually looks like nothing and is easier and quicker to delete by mistake than a whole folder (directory tree) full of "valuable" files.

Thinking again, there is another way to look at this whole thing.

I guess, ultimately, what we are really trying to do here is avoid having to make backups in case of mistakes... I wonder why none of us has put it that way before? lol The lengths we all go to to avoid doing something simple but tedious.

Any of the folders I would be concerned about are tens of Gigs in size, but if you had less, I suppose I could suggest some form of on-line scheduled synchronisation. How sensitive your pr0n collection (and yes, I'm using pr0n to describe any data of sentimental value to you) is will determine who you use as a backup store.

There is a filesystem available for both Windows and *nix environments which uses a GMail account as it's backing store... SkyDrives, MegaUpload and RapidShare are other alternative, cheap to free solutions with very little security with regards to the privacy of your store. Of course most real Mac owners have the use of an iDrive. The GMail drive is about the closest equivalent of this. http://www.viksoe.dk/code/gmail.htm

As a side note, ImDisk supports hosting your image file on an HTTP server, so if you rent WebSpace which you have upload and download capability on, you can mount an image file stored there.

What ever capacity they may allow you, uploading 40Gig even every week, or even making incremental backups from an originator is going to be costly in time and bandwidth. Hence my initial statement on practicality based on scale. Equally, backing up 40Gig to 10 or so DVDs in your writer takes a lot of time.

I know, because every 3 or 4 months I typically have to do this for my own piece of mind. The advantage of an on-line solution may be that you don't have to break the archive down in to parts which will optimise the use of your media, and can be left running unattended.