Has anyone used IObit Protected Folder?

[GameTheory]

Encrypt the entire program, i.e. create an encrypted virtual drive, put the program and its unsecure files on it, and only access the virtual drive when using the program and when you're not, unmount the drive and nobody can get to it...

[FocusWiz]

Quote:

Originally Posted by GameTheory

Encrypt the entire program, i.e. create an encrypted virtual drive, put the program and its unsecure files on it, and only access the virtual drive when using the program and when you're not, unmount the drive and nobody can get to it...

I am sorry to be long-winded, but the problem is that this secure information would be accessible while someone is using the program (although it is not useful to them for any reason except to steal my identity). I am trying to keep the password secure while the program is being run; it is very easy to keep it secure when the program is not being run, as you noted.

[FocusWiz]

Quote:

Originally Posted by headhawg

Sounds like encryption really doesn't help. The solution might be a password-protected folder. However, the application won't know the password so if it needs access to the file that's going to be a problem. Seems like you would need to delete the file on a regular basis. You could use a batch file with a timer to delete (or even just hide) the file. Or just do it manually. Your options seem very limited if the app always creates the plain text file and needs to read/write to it.

Thanks.

The application has the password stored rather securely in one of its encrypted data files. I do not think it actually reads it from the text file, but writes it there for reasons unbeknownst to me whenever it communicates with the company's servers.

I think I may need to just constantly delete this file with a set of scripts but I suspect that the IObit utility I referred to above will be the "lazier" alternative. In my tests, it adequately prevented any attempts I made at opening/viewing the file in any normal tool (NotePad, NotePad++, Word, Quick View, Excel) and I could not copy it with Explorer, Directory Opus, Power Desk, or a command prompt. However, the test was somewhat limited and I am not sure I want to pay for an annual subscription just to be able to run it.

I have some questions in to IObit to find out what happens if they go out of business and my subscription runs out, but was wondering if anyone had any experience with their products or anything else that provides write access but restricts read/copy access. From my tests, uninstalling it removes any restrictions I may have placed on the files since it apparently adds hooks into the operating system that are removed when it is uninstalled.

[headhawg]

Why don't you try another program that doesn't require a subscription? I found this one: Folder Guard

I'm sure there are others.

[FocusWiz]

Thanks, Headhawg, I have an email in to them to ask them if they can achieve this with their tool.

However, there may be an easier (or at least cheaper) alternative than I thought. I apologize for overcomplicating this.

I was perusing documentation of the Icacls functionality and I realized that this tool is affecting the advanced permissions of users. While this may not be totally foolproof, if I were to set the permissions of a user to write only, the data could be written but not read.

In my simple tests, I was able to set the permissions so that the file is viewable in a directory list, but could not be opened in notepad or wordpad and could not be TYPEd from a command prompt. However, an ECHO command could be piped into the file to update it. Here are the permissions set up for a test file and I think this may be what I need:

Basic:

Full Control: NO
Modify: NO
Read & execute: NO
Read: NO
Write: YES
Special permissions: YES

Advanced:

Full Control: NO
Traverse folder / execute file: NO
List folder / read data: NO
Read attributes: YES
Read extended attributes: YES
Create files / write data: YES
Create folders / append data: YES

Write attributes: YES
Write extended attributes: YES
Delete: NO
Read permissions: YES
Change permissions: NO
Take ownership: NO

I was able to pipe data to this file using a batch file with an ECHO command but was not able to open it in any of the applications I tried to use (which is the behavior I believe I need). It appears on directory lists and in Windows File Explorer (but not in the preview window). I am hopeful that I do not need to allow the file to be deleted.

The Icacls command would be better to automate this so that I have the same permissions built for each such file on each computer, but realistically it may not be necessary. I just need to figure out the correct combination and manually clone that to each machine for each of these files.

Of course, if the file needs to be deleted and re-created by the application, I would need to allow deleting, but then I would likely lose the security. I guess I need to keep testing.

[GameTheory]

Are the people that are going to be stealing this file (hypothetically) sitting at your machine using the program? If so, yeah, only so much you can do with something fundamentally insecure. And of course if they have physical access they can do much nastier things than that such as infecting it with malware, keyloggers, etc. Is this file literally the only thing on your machine that you don't want seen/manipulated by others? Seems to me in that situation you either have to trust the people around or they shouldn't have access at all.

[headhawg]

Yes, I believe that you could do this with permissions. If you're the only admin, then give System and Administrators Full Control. Do users need to even Write to this file? If not, just take them out of the ACL and they will get an implicit deny. You can set the ACL at the file level so it won't affect the rest of the folder if you want.

[FocusWiz]

Quote:

Originally Posted by GameTheory

Are the people that are going to be stealing this file (hypothetically) sitting at your machine using the program? If so, yeah, only so much you can do with something fundamentally insecure. And of course if they have physical access they can do much nastier things than that such as infecting it with malware, keyloggers, etc. Is this file literally the only thing on your machine that you don't want seen/manipulated by others? Seems to me in that situation you either have to trust the people around or they shouldn't have access at all.

In the one situation I have learned about, the identity of the owner was stolen by use of this file which allowed the crook to steal other information. I agree that a more sophisticated individual could do much worse, but it does not appear that this person knew much more than how to use windows file explorer. I have a friend who is a security consultant and his motto is "security is achieved when all work stops" so I realize I cannot protect myself from everything, but I do not want it said that I did not take reasonable steps to protect this information. Having an ID and a Password in a text file is usually the second or third things on the lists of security "no-nos."

[FocusWiz]

Quote:

Originally Posted by headhawg

Yes, I believe that you could do this with permissions. If you're the only admin, then give System and Administrators Full Control. Do users need to even Write to this file? If not, just take them out of the ACL and they will get an implicit deny. You can set the ACL at the file level so it won't affect the rest of the folder if you want.

I believe that the application will use the encrypted and stored password to access the server periodically and then write to the file for logging purposes. Whether denying write would adversely affect the application is something I would need to test.

I will likely only set this up for the dozen or so text files that have this password information exposed.

Thank you for the lively and helpful dialogue. I really appreciate your thoughts and the ideas that others have expressed to help me crystallize my thoughts on this.