Vista - Vista RTM not secure?

Hi there,

I have been given by my local computer shop a trial of Vista RTM that will
expire in 30 days unless I buy a key.

The two things I find very annoying and breaches security is - the fact that
an administrator account is able to search and access other users' folders.

For instance, I can easily access my brother's administrator user folder
(mine is also an administrator) through the 'Users' folder.

Although we are both administrators, hadn't Microsoft think EVERYBODY needs
their privacy? If one is able to be trusted to have administrator privileges,
one is also entitled to administrator privacy.

I have chat files and other personal data that my snoopy brothers would love
to open and have a read.

My question is, how can I keep all users' privacy without sacrificing
administrator privileges?

Looks Microsoft has put soooo much time into network security that they've
forgotten an important thing - the fact that a thief can get a hold of your
computer and use an administrator account to steal whatever he wishes.

Can anyone please help me? Also, when using the search function, it also
retrieves results from ALL users on the PC, administrator or not.

This is frankly annoying me, and I don't want to go out and buy an $800 NZ
software just so I can have my privacy compromised.

So far this privacy breach is the only thing that is flawed in Vista for me.
And it is flawed enough for me to not buy Vista unless I can get a fix for
this.

Thanks for looking, I hope you can help me.

This is true of any operating system, physical security for PCs is near
non-existant on a software level, if it were it would be impossible to
troubleshoot a dead computer a lot of the time. In the end anyone can always
find the disk and stick it into a different machine and read it there.

There is an option to "encrypt user folders" in Vista which at least goes a
little way to securing data but at the end of the day, a systems
administrator needs to be someone who has access and control over the whole
computer.

I'd recommend just having both users as "power users" and encrypting user
folders, you shouldn't find
youself being limited very often (and when you are it may be possible to
"run as administrator" and just enter the admin password when prompted) and
it'll give you and your brother the privacy from each other that you desire.

Rich

"Phil" <Phil@discussions.microsoft.com> wrote in message
news:7E9E2272-EB26-4A22-B4AA-6C5C670D784B@microsoft.com...
> Hi there,
>
> I have been given by my local computer shop a trial of Vista RTM that will
> expire in 30 days unless I buy a key.
>
> The two things I find very annoying and breaches security is - the fact
> that
> an administrator account is able to search and access other users'
> folders.
>
> For instance, I can easily access my brother's administrator user folder
> (mine is also an administrator) through the 'Users' folder.
>
> Although we are both administrators, hadn't Microsoft think EVERYBODY
> needs
> their privacy? If one is able to be trusted to have administrator
> privileges,
> one is also entitled to administrator privacy.
>
> I have chat files and other personal data that my snoopy brothers would
> love
> to open and have a read.
>
> My question is, how can I keep all users' privacy without sacrificing
> administrator privileges?
>
> Looks Microsoft has put soooo much time into network security that they've
> forgotten an important thing - the fact that a thief can get a hold of
> your
> computer and use an administrator account to steal whatever he wishes.

The fix is to follow best practice and not have every computer user be an
administrative user. Making every user an administrative user defeats most
of the enhancements in security that Vista contains. There should be one
administrative user and that account should only be used when installing
software or actually doing administrator-type stuff and the rest of the time
everyone else, including you, should be logging on as standard users.

--
Richard G. Harper [MVP Shell/User] rgharper@gmail.com
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


"Phil" <Phil@discussions.microsoft.com> wrote in message
news:7E9E2272-EB26-4A22-B4AA-6C5C670D784B@microsoft.com...
> Hi there,
>
> I have been given by my local computer shop a trial of Vista RTM that will
> expire in 30 days unless I buy a key.
>
> The two things I find very annoying and breaches security is - the fact
> that
> an administrator account is able to search and access other users'
> folders.
>
> For instance, I can easily access my brother's administrator user folder
> (mine is also an administrator) through the 'Users' folder.
>
> Although we are both administrators, hadn't Microsoft think EVERYBODY
> needs
> their privacy? If one is able to be trusted to have administrator
> privileges,
> one is also entitled to administrator privacy.
>
> I have chat files and other personal data that my snoopy brothers would
> love
> to open and have a read.
>
> My question is, how can I keep all users' privacy without sacrificing
> administrator privileges?
>
> Looks Microsoft has put soooo much time into network security that they've
> forgotten an important thing - the fact that a thief can get a hold of
> your
> computer and use an administrator account to steal whatever he wishes.
>
> Can anyone please help me? Also, when using the search function, it also
> retrieves results from ALL users on the PC, administrator or not.
>
> This is frankly annoying me, and I don't want to go out and buy an $800 NZ
> software just so I can have my privacy compromised.
>
> So far this privacy breach is the only thing that is flawed in Vista for
> me.
> And it is flawed enough for me to not buy Vista unless I can get a fix for
> this.
>
> Thanks for looking, I hope you can help me.
>
>

"Richard Cocks" wrote:

> This is true of any operating system, physical security for PCs is near
> non-existant on a software level, if it were it would be impossible to
> troubleshoot a dead computer a lot of the time. In the end anyone can always
> find the disk and stick it into a different machine and read it there.
>
> There is an option to "encrypt user folders" in Vista which at least goes a
> little way to securing data but at the end of the day, a systems
> administrator needs to be someone who has access and control over the whole
> computer.
>
> I'd recommend just having both users as "power users" and encrypting user
> folders, you shouldn't find
> youself being limited very often (and when you are it may be possible to
> "run as administrator" and just enter the admin password when prompted) and
> it'll give you and your brother the privacy from each other that you desire.
>
> Rich

Hi Rich. Thanks for the tip, but how do I encrypt our user folders? It
cannot be by BitLocker, because my motherboard BIOS apparently doesn't
support TPM, which is needed for BitLocker.

So, by encrypting my user folder, another administrator cannot access my
user folder through the 'Users' folder?

By encrypting our user folders, will it also prevent the search function to
retrieve results from another user's account?

"Richard G. Harper" wrote:

> The fix is to follow best practice and not have every computer user be an
> administrative user. Making every user an administrative user defeats most
> of the enhancements in security that Vista contains. There should be one
> administrative user and that account should only be used when installing
> software or actually doing administrator-type stuff and the rest of the time
> everyone else, including you, should be logging on as standard users.
>
> --
Thanks for the input. In my PC, there are three user accounts: my big
brother's, my parents', whose account is also used by a lot by my little
brother, and my account.

My big brother's and my account needs to be administrator because we are the
biggest users of the PC and being standard users would hinder our needs. I
have made my parents' account standard to prevent my little brother from
looking at my files, but I cannot stop my big brother,

Does anybody know how to keep privacy between to administrators. without
sacrificing other administration privileges?

Hi, Phil. I am the only user of my computer. I have an administrative
account set up, but always operate from a standard user account and it
doesn't hinder my needs. I can always "run as administrator" from my
standard account if I need to.

"Phil" <Phil@discussions.microsoft.com> wrote in message
news:319DBA8F-BA0F-4E55-B413-447186ABA9AE@microsoft.com...


"Richard G. Harper" wrote:

> The fix is to follow best practice and not have every computer user be an
> administrative user. Making every user an administrative user defeats
> most
> of the enhancements in security that Vista contains. There should be one
> administrative user and that account should only be used when installing
> software or actually doing administrator-type stuff and the rest of the
> time
> everyone else, including you, should be logging on as standard users.
>
> --
Thanks for the input. In my PC, there are three user accounts: my big
brother's, my parents', whose account is also used by a lot by my little
brother, and my account.

My big brother's and my account needs to be administrator because we are the
biggest users of the PC and being standard users would hinder our needs. I
have made my parents' account standard to prevent my little brother from
looking at my files, but I cannot stop my big brother,

Does anybody know how to keep privacy between to administrators. without
sacrificing other administration privileges?

"Leslie Crystal" wrote:

> Hi, Phil. I am the only user of my computer. I have an administrative
> account set up, but always operate from a standard user account and it
> doesn't hinder my needs. I can always "run as administrator" from my
> standard account if I need to.

Hi Leslie, standard accounts limit or will take longer for me to do
administrative stuff....such as installing something on a standard account,
which will come up with a message saying I need to be logged on as an
administrator and I cannot do the 'Run as Administrator' at that point.

I remember back with my WinXP, I cannot access my brother's user folder, and
it says it has 0 files and is 0 byte in size, does that mean it's encrypted?

If yes, how do I do this? How can I make my folder inaccessible by anyone
but me?

Hello,

- Right-click the folder
- Click Properties
- Click Advanced
- Click "Encrypt contents to secure data"
- Click OK

The system will nag you to create an emergency backup of your encryption
key - you should DO THIS. If you have a thumb drive, stick the backup on
your thumb drive and keep it safe.

If you should forget your password or someone should delete your account,
you will NOT be able to access your files.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

"Jimmy Brush" wrote:

> Hello,
>
> - Right-click the folder
> - Click Properties
> - Click Advanced
> - Click "Encrypt contents to secure data"
> - Click OK
>
> The system will nag you to create an emergency backup of your encryption
> key - you should DO THIS. If you have a thumb drive, stick the backup on
> your thumb drive and keep it safe.
>
> If you should forget your password or someone should delete your account,
> you will NOT be able to access your files.

Hi, Jimmy. Thanks for that. Now, once my user folder is encrypted, other
administrators wouldn't be able to access my user folder, and cannot retrieve
results from my user folder?

And what is an encryption key? Could you please explain to me what
encryption is in details?

Correct ... your files will be encrypted (garbled) and will only be able to
be accessed from within your account.

The "key" is what is used to unlock your files. It is stored inside your
user account and can only be used while you are logged in.

Anyone trying to access your files outside of your account will not be able
to do so, since they won't have access to your key.

You should backup your key so that if you forget your password or something
terrible happens, you will have a way to access your files.

Without a backup of your key, you will lose your files if you lose access to
your account.

The encryption is the best solution, as there is no way around it. You could
also change permissions on your personal folder to remove the access that it
gives to administrators, but there are ways around that restriction if the
other user is an administrator.

However, if the other person isn't very "technically advanced" they may not
know how to go about bypassing the restriction, so that may be a better
option for you, as it won't put your data in as much risk as encryption.

To use this second option, perform the following steps:

- Click start
- Type: cmd
- Right-click cmd when it appears
- Click Run As Administrators
- Type the following commands into the command prompt EXACTLY as shown,
pressing enter after each line:

cd %userprofile%
icacls . /remove Administrators

(The last command will take a few minutes to complete)

--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/