Windows 10: trying to secure a backup folder, can't read w/o allowing rename

Discus and support trying to secure a backup folder, can't read w/o allowing rename in Windows 10 Support to solve the problem; I am using an image backup program (easeus' todo) and I've got a folder on my L: drive at the top level (i.e. L:\securebackup). I want this folder to... Discussion in 'Windows 10 Support' started by rocket777, Mar 5, 2017.

  1. rocket777 Win User

    trying to secure a backup folder, can't read w/o allowing rename


    I am using an image backup program (easeus' todo) and I've got a folder on my L: drive at the top level (i.e. L:\securebackup). I want this folder to only be accessible for write/changes by a particular account (mybackups). I normally run in another user account (myaccount) though this has admin privs.

    I want to be able to read the folder and read the contents from myaccount (and mybackups, but nobody else, including administrator(s)). I have other folders on this L: device that I use normally, i.e. I don't want to make the L: device completely protected, just the one top level folder in that device.

    Here's what I've done, (I have win 10 professional)

    From the mybackups account:


    • create a folder securebackup, then select it, do properties
    • security tab
    • advanced
    • disable inheritance
    • (option 2) remove all inherited permissions (no access records remain)
    • add mybackups and give it full permissions
    • add myaccount, give it only list folder/read data (from advanced permissions)

    From myaccount this still lets me move the folder to another folder, rename it, or delete (move to trash). I have not tried to see if I can overwrite files in this directory, but I can't seem to read the files in it, although I can drill down the directories inside it.

    In addition, even though the todo backup program can write to the directory (other accounts cannot) somehow the owner of the files it creates have an owner of Administrators, instead of mybackups (which the creating program was running under). This could be an easeus/todo issue, but I'm not sure, and it doesn't seem to be what's causing me to still have access from myaccount.

    My goal is to be able to create protected image backups that cannot be modified by any account except mybackups. This should protect from ransomware programs that would try to encrypt the files. Even if I was attacked, and all other files would be lost, I should still have a complete image backup to restore from (the backups are created daily automatically).

    But if malware can move the folders and rename them, then I'm not feeling so secure.

    Anyone know why I'm still able to rename or move the protected directory?

    How might you approach this task?


    I

    :)
     
    rocket777, Mar 5, 2017
    #1

  2. Upgrade W7 32-Bit to W10 32-bit - W7 Backup stopped working with "Critical error 0x8000FFFF"

    Hi all,

    Upgrade from W7 Pro to W10 Pro ran w/o major problems. W7 Backup was used two times w/o problems. After 3 weeks the Backup app lost its configuration. Trying to set it up again allow all settings to be specified. Saving the settings crashes with "Critical
    Error 0x8000FFFF".

    Backup functions not using the configuration data like "Restore", "Write System Image" and "Create Recovery DVD" work well.

    What went wrong and how to recover?
     
    Jörg Debus, Mar 5, 2017
    #2
  3. dgr8---01 Win User
    N900 failed to update to the latest firmware

    on the cmd when I type in dir/w, it can't find the firmware file. If I tried to download again, ti will say file exist and it does but under normal viewing file is not there.



    Which one to I rename the firmware file?



    so should I rename file RX-51_2009SE_2.2009.51-1.002_PR_COMBINED_002_ARM.bin to OS.bin? Why it can't read or find the file when I look in the folder? Not seen in the cmd window either using dir/w?













    Message Edited by dgr8 on 20-Jan-2010 07:07 PM
     
    dgr8---01, Mar 5, 2017
    #3
  4. Pyprohly Win User

    trying to secure a backup folder, can't read w/o allowing rename

    This is expected. As far as permissions are concerned, renaming and moving are synonymous to deleting, and you have not denied myaccount from deleting the folder, hence it may be moved or renamed. To prevent an item’s deletion the parent folder must not permit “Delete subfolders and files” (specifying any inheritance flags regardless of the type of the target item, strangely) and the item itself must then not have an allow on “Delete”.

    You should be able to traverse and read data with that permission. Double check that you’ve set the correct inheritance flags. Preferably, it should be set to “This folder, subfolders and files”.

    Nothing exciting here either. You mention that you’re running the backup software as administrator. Guess what the default owner for items created by administrative applications is.

    A very preceptive apprehension to security. Sounds like you have a very prestigious set up happening. My data isn’t even that valuable to merit such worries...
     
    Pyprohly, Mar 5, 2017
    #4
  5. rocket777 Win User
    I've had to deal with ransomware twice. The first time was before the encrypting versions where they just set the hidden bit on all my folders and turned off "show hidden files".

    The second time was when my friend was hit with the new encryption ransomware. It became my job to restore her system. Rebuilding that was hugely painful, even though her data files were backed up.

    I guess I need to provide a protection at the drive level. I would still like to only protect the backup folder to this extent, but I don't see how to do that w/o protecting all the folders the same way. I guess some trial and error is needed.

    I have verified that this is indeed the case. When in myaccount, I view the directories (nested down a few levels) but I cannot copy the files all the way below the mybackup directory. The inheritance seems to work, i.e. there's only the same two access records that the parent has.

    File explorer says "you'll need to provide administrator permission to copy this folder". The image file is data, but it is listed as a type folder. Ideally, I'd like to be able to use the feature whereby the backup files can be browsed. I assume that's just a read operation.

    One puzzle though, when I look at the effective access for myaccount, I expected to only see list folder/read data, but also there's read permissions and change permissions. The checkmark is on top of a small icon with 2 people. All the others are X'd out with access limited by file permissions. As mentioned, this file's owner is Administrators. When setting (in advanced) permissions, these 2 are definitely not checked.

    I wish I could figure out how to set up the auditing to tell me why it rejects my copy. I wonder if it is actually complaining on the writing side of the copy? But the browsing is also denied, so then again....

    Thanks for the detailed answers.
     
    rocket777, Mar 5, 2017
    #5
  6. lx07 Win User
    Ransomware can encrypt any connected drive if running with administrator privileges. It will undo any authorities you have placed so honestly you may as well not bother.

    It is also fairly trivial to write a script to elevate to use administrator privileges without even prompting if your user is part of administrators group. “Fileless” UAC Bypass Using eventvwr.exe and Registry Hijacking | enigma0x3

    Best would be to run as standard user (not a local Admin) and make backups to a drive that is normally physically disconnected.

    You could have a look with icacls D:\Whatever - it should be more explicit.
     
    lx07, Mar 5, 2017
    #6
  7. rocket777 Win User
    Currently, when I log into the administrator account, I have no access to the folder as I've set it up. I guess the malware could always write directly to the drive, but why should it bother, when 99% of all other systems are wide open.

    I will consider turning off admin for my user account. I have done that on a laptop and it's not too restrictive.

    I also want to make the backups automatic. I have a script that wakes up another computer and copies modified files to that computer and then shuts it down. I guess I could set that up for my backup images.

    From both administrator and myaccount:

    L:\>icacls whatever
    whatever: Access is denied.
    Successfully processed 0 files; Failed processing 1 files

    If it can't access the files, it shouldn't be able to change the settings. But then Microsoft has blundered before.

    From the backup account I see:

    L:\>icacls whatever
    L:\whatever mycomputer\mybackup (OI)(CI)F
    mycomputer\myaccount (OI)(CI)(special access)
    SYNCHRONIZE
    FILE_READ_DATA

    I don't know what synchronize is. And I still don't understand why I can't read the files from myaccount.

    Thanks for the post.
     
    rocket777, Mar 6, 2017
    #7
  8. Pyprohly Win User

    trying to secure a backup folder, can't read w/o allowing rename

    I have verified that this is indeed the case. When in myaccount, I view the directories (nested down a few levels) but I cannot copy the files all the way below the mybackup directory. The inheritance seems to work, i.e. there's only the same two access records that the parent has. I’m sorry. I rechecked my understanding and what you’ve observed would be the correct expectation. For access rights that display twofold—divided by a slash—such as “List folder / read data”, the left part would be the part relevant to folders with the alternative on the right ignored, and it’s vice versa for files. If you check “List folder / read data” on a folder and have the permission inherit, subfolders will effectively gain “List folder” and child files will get “read data”.

    Testing reveals that “List folder / read data” alone is not enough to read the data of a file. The “List folder / read data” and “Read extended attributes“ access rights are the minimum access rights needed to open the contents of a file.


    Don’t be misleading now; you’re not using Icacls here, but Cacls.

    The purpose of the “Synchronize” access right is not really relevant for end users, hence you don’t get the option to set it through the GUI. You can easily lookup what it means, though I’m confident the definition will be abstruse for most.


    I suggest granting “Read” permissions to myaccount. This is what you’re aiming for.
    Code: L:\>icacls whatever whatever mycomputer\mybackuptrying to secure a backup folder, can't read w/o allowing rename :(OI)(CI)(F) mycomputer\myaccounttrying to secure a backup folder, can't read w/o allowing rename :(OI)(CI)(R) Successfully processed 1 files; Failed processing 0 files[/quote]
     
    Pyprohly, Mar 6, 2017
    #8
  9. RolandJS Win User
    Are these backups being made onto a sub-directory of a hard-drive that remains active in the computer from work day beginning until work day ending? Besides the OS HD, are there other internal or external hard-drives that work all day long?
     
    RolandJS, Mar 6, 2017
    #9
  10. rocket777 Win User
    [/quote] Oops, when I sanitized the output, (couldn't directly copy/paste between accounts) I edited the results to hide the true file and account names and had forgot to copy the actual command. You are right, when I added read (from the basic) settings, it actually added 3 read permissions that you can see by selecting to show the advanced settings.

    And sure enough, once I had it as you suggest, I can now read and browse the files.

    I think the read problem was that it thinks the image file is a folder. The program does this, I guess, in order to support the browsing, sort of like when you d-click on a zip file.

    Thanks for the help.
     
    rocket777, Mar 6, 2017
    #10
  11. rocket777 Win User
    Yes, the system has just 2 ssd's one for OS one for backup. It's on a home lan with several older computers (that have the large rotating disks and triple monitors). It's not at a workplace and I have complete control over whatever I want to do.

    Years ago I was hit with a simpler version of the ransomware that only hid my files. AFter I found the backups, an image restore worked. But I then realized that if they could damage the backup files, I'd have lost quite a bit. I also periodically copy the backup files to another system on my lan to a system that isn't up all the time and has a huge drive for backups of all my systems. But that's done manually and I get forgetful sometimes.
     
    rocket777, Mar 6, 2017
    #11
  12. RolandJS Win User
    That's great that you have existing backups "offline" as well! *Smile
     
    RolandJS, Apr 4, 2018
    #12
Thema:

trying to secure a backup folder, can't read w/o allowing rename

Loading...
  1. trying to secure a backup folder, can't read w/o allowing rename - Similar Threads - trying secure backup

  2. Windows will not allow login w/o internet

    in Windows Hello & Lockscreen
    Windows will not allow login w/o internet: My internet stopped working last night, and it will be a while before AT&T can come out to troubleshoot. Not a big deal, because I don't need it for work...I tried to log in to my PC this morning to work, but Windows 10 says: "You'll need internet for this. It doesn't look...
  3. Windows will not allow login w/o internet

    in Windows 10 Gaming
    Windows will not allow login w/o internet: My internet stopped working last night, and it will be a while before AT&T can come out to troubleshoot. Not a big deal, because I don't need it for work...I tried to log in to my PC this morning to work, but Windows 10 says: "You'll need internet for this. It doesn't look...
  4. Windows will not allow login w/o internet

    in Windows 10 Software and Apps
    Windows will not allow login w/o internet: My internet stopped working last night, and it will be a while before AT&T can come out to troubleshoot. Not a big deal, because I don't need it for work...I tried to log in to my PC this morning to work, but Windows 10 says: "You'll need internet for this. It doesn't look...
  5. Can't Rename a Folder

    in Windows 10 Support
    Can't Rename a Folder: I'm trying to get rid of duplicate photos. I used CCleaner which showed duplicates in:"C:\Users\Phil\Documents\Pictures\iCloud Photos\Downloads.old"When I look at it, it's path is:"C:\Users\Phil\Documents\Pictures\iCloud Photos\Downloads". When I look at the file, the name is...
  6. I can't rename the folder

    in Windows 10 Network and Sharing
    I can't rename the folder: after the update my window 10. I can't rename the folder or I can't move the folder..this problem show [ATTACH] https://answers.microsoft.com/en-us/windows/forum/all/i-cant-rename-the-folder/2b7d7977-8ab0-4260-b267-1154dfc1f626
  7. Can't rename folders

    in Windows 10 Network and Sharing
    Can't rename folders: I created a new folder on my surface pro on the C Drive. When I attempt to rename it by tapping on the folder, and then clicking rename it allows me into the folder name, but the minute I bring up the virtual keyboard the focus changes, and I am no longer on the folder name...
  8. Can't rename a folder.

    in Windows 10 Network and Sharing
    Can't rename a folder.: I love when Explorer won't allow me to rename a folder, when literally nothing is using the folder at all in any **** i n g way, you **** h o l e s. It doesn't even have the courtesy to tell me what ghost program is using the folder....
  9. Can't move or rename folders

    in Windows 10 Support
    Can't move or rename folders: When I try to move or rename a folder I get Can't find the specified file. Make sure you specify the correct path and file name. It seems that right-clicking would tell windows where the folder is. When I make a new folder it comes as Folder 1, Folder 2 etc. When I...
  10. Can't rename or move folders

    in Windows 10 Support
    Can't rename or move folders: Hello, After installing KB3124200 & KB3116900 updates, I'm no longer able to rename or move folders. When I try, it gives the error "Can't find the specified file". I have done sfc /scannow but it didn't help. Also, I have run default file associations registry files...