1

A fixed NTFS drive in my computer requires a login by me, or if on the corporate network, a login by any domain user. So if the drive is stolen, no one can get at it - correct?

But a removable drive does not have this restriction. I have a Samsung 4T external hard drive and it is formatted using NTFS but anyone can access it. Is there a way to restrict it to either:

  1. Like my fixed drives, can only be accessed by domain logins.
  2. Set the drive, or the key root folders in the drive (like our source code) so they can only be accessed by me.

Update: I have two concerns with the removable drive. The first is company confidential stuff (like our source code) where it's ok if another domain login can get to it. But not someone outside the company. The second is for HR files which we need to have access restricted to just 3 people in the company.

Update 2: Ok, my fundamental assumption was wrong - the fixed drives aren't restricted either (see below answers). I'm keeping the question up because I think the answers below are of value to others with the same misconceptions and/or needs. (Sometimes a dumb question does provide useful information in the answers.)

David Thielen
  • 301
  • 2
  • 13
  • An internal drive that is stolen can be accessed without a problem if you put it into another computer. Every disk that is not encrypted can be read if stolen. – Sven Aug 15 '14 at 12:10
  • 1
    "... if the drive is stolen, no one can get at it - correct?" No - if the drive is stolen and not encrypted, anyone can read it by simply plugging it in to another computer. – John Aug 15 '14 at 12:10

3 Answers3

3

It's clear by now that unencryped drives are unprotected.

If you want to protect different files with different permissions, you have to encrypt the disk and then unlock it on a server that enforces the permissions and allow access only via the file sharing (e.g. CIFS).

Sven
  • 98,649
  • 14
  • 180
  • 226
  • If I want to restrict drive access to just me, and I'm not concerned about super-perfect security (our code is valuable but not that valuable), what's the least hassle way to do this? Is there a way in NTFS itself to mark folders as accessible to me only? – David Thielen Aug 15 '14 at 12:16
  • 2
    No, there is not. Any restrictions you set are bypassed by other operating systems (e.g. different computers or booted from CD/stick). – Sven Aug 15 '14 at 12:19
1

Encrypt it, with for example truecrypt or bitlocker, on disk encryption (or the specific data you want to protect).

A fixed drive without encryption is no more secure than an external one if it is physically stolen. Someone can take it out of your PC and attach it to another (or boot a live cd). Your OS login is no protection whatsoever.

JamesRyan
  • 8,166
  • 2
  • 25
  • 36
  • I'd prefer to do it in a way that once I'm logged in it's all there. No need for additional logins or mapping it to a drive letter. Is that possible with truecrypt or bitlocker? TIA – David Thielen Aug 15 '14 at 12:09
  • There are encryption programs out there that will unlock with a correct login, you'll simply have to find the one that works best for your environment. – John Aug 15 '14 at 12:14
1

A fixed NTFS drive in my computer requires a login by me, or if on the corporate network, a login by any domain user. So if the drive is stolen, no one can get at it - correct?

No, absolutely not.
If someone steals a (non-encrypted) NTFS drive he can access everything.

Only encryption will prevent it from being read by anybody else.

faker
  • 17,496
  • 2
  • 60
  • 70
  • Ow, I was not aware of that. So it's just that on boot the main boot drive loads Windows and that wants a login. But the drive itself if not the boot partition is fully accessible. I guess that does make sense now that you've stated it. – David Thielen Aug 15 '14 at 12:14
  • @davidthielen even the boot partition is accessible. Once connected as a secondary drive to the thief's own computer, they can access everything on the drive. Encryption ensures that even though they can read the drive, they can't see the real, original data. – Grant Aug 15 '14 at 12:17
  • Sorry, yes. That is what I meant to say. Any suggestions for a minimal hassle way to encrypt either the drive or the contents of a folder and all of it's sub folders? TIA – David Thielen Aug 15 '14 at 12:20
  • 1
    Bitlocker is built into Windows and works pretty great. – faker Aug 15 '14 at 12:23