8

I want to make my folders private, so that they can only be accessed after logging in with my own account, but be inaccessible by other local accounts, even the administrator accounts.

I have a PC with windows 8 Professional.

I know I can set the security options for a folder and deny full control access for any other account already created. But since there are other Administrator accounts, new accounts can be created from there and then my folder will be accessible from there.

And if I deny access for ALL administrator group, then even I myself wont have access to my folder!

What is the solution?

Improve this question
6
  • 1
    Have you considered something like EFS?
    – Louis Waweru
    Commented Feb 21, 2013 at 17:43
  • 2
    Can you explain? I did try to active encryption on these folders. To my surprise, I still was able to open the folder that I encrypted via another Administrator account! However I could not changes files there.
    – cybergeek654
    Commented Feb 21, 2013 at 17:47
  • I would try encrypting a (test) file, deleting the certificate, and finally importing it but only for the current user.
    – Louis Waweru
    Commented Feb 21, 2013 at 17:54
  • These local or domain administrators. The simply solution would be to create a user group. If you can only view the files what was the problem? If you encrypt the contents of a folder which contains folders you should view the contents of the encrypted folder even as an administrator. Furthermore why is everyone an administrator?
    – Ramhound
    Commented Feb 21, 2013 at 18:06
  • @Ramhound It is a shared PC and I don't want to get an exclusive access over all computer. I just want my own files and folders to be private. Can you explain how I should create the user group, and how it will give my access, while banning other administrators?
    – cybergeek654
    Commented Feb 21, 2013 at 18:16

3 Answers 3

Reset to default
8

within the windows ecosystem, there is NEVER a way to keep an admin out of your files, especially if they have physical access to the machine. Trying to keep admins out is a good way to lose access to your own files.

instead look at an external encryption solution like Truecrypt or even PGP/GPG. MS EFS goes a long way, but if another user can export your cert, its completely worthless for your usecase.

Improve this answer
3

You can make it slightly more difficult for them by changing Owner of the file to be you and removing (not deny, but remove) the Administrator's permission in the advanced file permissions options, but this will only prevent them from being able to access the file without taking ownership. As a system admin, they will be able to take ownership of the file and then change the permissions to give themselves permissions again.

It is worth noting that this will also break the inheritance of permissions on that directory tree at the point that you do your advanced edit.

Improve this answer
2
  • 3
    also keep in mind, NTFS permissions are meaningless if the user can just boot to a liveCD. when most live distros mount a NTFS drive, they treat the user as root. Crypto is the only way to defeat that vector.
    – Frank Thomas
    Commented Feb 21, 2013 at 19:32
  • @FrankThomas - yes, that's another good thing to point out. I agree that crypto is the best approach to this goal. My answer is only to explain what the best you can manage without use of crypto is, and it isn't very good.
    – AJ Henderson
    Commented Feb 21, 2013 at 19:52
0

A user who is an Administrator has the seTakeOwnership permission , meaning they can take ownership of your folder:

Required to take ownership of an object without being granted discretionary access.

This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.

User Right: Take ownership of files or other objects.

The owner of an object implicitly has permission to change it's Access Control List (ACL), i.e. the Security tab in Windows Explorer:

enter image description here

From there they can grant you read access to your folder. There's no way to prevent an Administrator from seeing your files and folders.

But you can stop them from reading them

Since Windows NT 3.51, Windows' NTFS has supported encrypting files:

enter image description here

The file is encrypted with a certificate that is protected with your Windows password. As long as you don't give anyone your password, your EFS encrypted files cannot be viewed.

Personally i like to turn on the option Show encrypted or compressed NTFS files in a different color:

enter image description here

That way i can easily see and confirm that they are encrypted:

enter image description here

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .