Monday, February 7, 2011

How to hide complete volume?

Using Windows Server 2003 in a multi-user environment (via Remote Desktop, using it as an application server), how to mount a (preferably encrypted) volume in a way, that won't show up on any other user's desktop?

Tried, and failed approaches:

  • tweaking user rights -display of mounted volume can not be changed.

  • Bestcrypt / truecrypt. Both of them displays the volume for a local administrator

  • There's a key in the Registry that's used to hide mapped drives.

    If you want to stop any combination of drives appearing in My Computer

    Add the Binary Value of 'NoDrives' in the registry at

    "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"

    Here is the table of all the values (Note that you can add up values to hide multiple drives, also the value is binary type but must be entered in hexadecimal, so if you add up a few drives, get ready for a little hex math. ) :

    A 1 00 00 00
    B 2 00 00 00
    C 4 00 00 00
    D 8 00 00 00
    E 16 00 00 00
    F 32 00 00 00
    G 64 00 00 00
    H 128 00 00 00
    I 00 1 00 00
    J 00 2 00 00
    K 00 4 00 00
    L 00 8 00 00
    M 00 16 00 00
    N 00 32 00 00
    O 00 64 00 00
    P 00 128 00 00
    Q 00 00 1 00
    R 00 00 2 00
    S 00 00 4 00
    T 00 00 8 00
    U 00 00 16 00
    V 00 00 32 00
    W 00 00 64 00
    X 00 00 128 00
    Y 00 00 00 1
    Z 00 00 00 2
    
    From Robit
  • You're going to be hard-pressed to find a solution for your exact problem. Drive mount points aren't stored on the user level (afaik). There are a couple of workarounds that you can use that aren't guaranteed to be secure:

    1. hide access to certain drive letters based on group policy. Not very secure, easy to workaround.
    2. Don't mount a seperate volume: use NTFS encryption and simply set security permissions on certain folders.

    Is there any particualr reason it has to be an entire drive? If you're trying to avoid allowing the local-admin having rights to a local drive, you're pretty much out of luck unless you use a third-party-probably-going-to-fail-horribly solution. You can jury-rig something with Group Policy to disallow local admin access, but it's going to be hard and error prone.

    If your desired goal is to have separate folders (or volumes) that other users cannot access, store the files on a remote server. That way local administrators on the application server cannot arbitrarily access other peoples folders. (Unless they have Domain Admin or Enterprise Admin rights) You can set up a single big network drive and have different user folders on it, each encrypted using NTFS/other solution and only have read/write rights for that single user.

  • Even if the drive letters are hidden - the volumes are still accessible unless you change ACLs on the filesystem itself - why is this so unpalatable?

    From stephbu
  • NTFS supports mounting volumes inside directories.

    Example - instead of mounting an external drive as D:, you can mount it under C:\mountedVolumes\externalHardDrive

    You can then use ACL's on the parent folder (mountedVolumes) to prevent users other than yourself from accessing it. If they can't get into the folder, they can't get into the drive, or see that it's there. It just looks like a folder they can't open.

    Note: This assumes that you have administrative rights (at least for when you first set this up), and that other people don't (so they can't just take ownership of mountedVolumes and go into the drive anyway)

0 comments:

Post a Comment