Dario Greggio wrote: > Gerhard Fiedler wrote: > >> I'm not quite sure about the NTFS access restrictions cross-system. I separated my quote in two parts, because your answer is only about this part -- but I'm more interested in the other part (see below). > Well, I'm happy to discuss this 'cause I still have some doubts after 10 > years of working on NT OSes... > > I used to think that *every* file on a NTFS drive could only be read > i.e. accessed *only* if you were a recognized user: AFAIK this is not true. It all depends on the exact permissions valid for the file you're trying to access. (Right-click on the file in Explorer, select properties, tab Security.) > I found out that this was not the case, i.e. installing that hard disk on > another NT machine will give you access to those files. On a normal Windows system, to my knowledge most files grant at least one of these groups read/write privileges: Administrators, Power Users, Users, Everyone. Pretty much all files have read/write enabled for Administrators, most files have read access for Users. Unless you're in a directory structure that has a specific system function, default read/write access is for Everyone. So if on the new install you're accessing files as member of Administrators, that's where you're probably getting your permission from. Interesting would be to have a few files with specific permissions (/only/ for a specific user) and trying to access them after taking the disk to a different computer, where you're logged in as a different user. > So, at the very end, in theory (and Vista seems to be going this > direction) you (we) should only work as Normal User, and giving thus > Full Access to User's folders (Documents, Desktop, My Images etc); > Windows and Program Files Folder would then be inaccessible. Of course, > this is going to give headaches if you use your machine for "real Work" > i.e. reinstall, updates ... You always can run installations as a different user (right-click, select Run as...). But the problem I've found is that many applications store application configuration files in their installation directory (where the executables are), and not in the application data directory. This of course requires that every user of the application needs to have write access to the installation directory -- which makes this sort of security maintenance not easy. > Then, I hoped that files could be "encrypted", and this should be > possible (though time-consuming), but anyway this is not going to > protect from overwrites & such. It is possible. If you know the login and password and are admin, you can get access to the contents on a different system (not quite straightforward, but possible), but if not, you don't (at least not with common methods). If you have the rights to do so (depends on the exact permissions set on the directory), you can overwrite/delete though. But notwithstanding the exact workings of NTFS security after taking a drive to a different system, I'm still interested whether this is really necessary: >> OTOH, the first part may be enough (that the viruses won't access files >> on partitions that are not present as drive letters). Has somebody ever >> actually had a system cross-contamination in such a setup? I haven't, >> but I haven't had any contamination to speak of at all, so I really >> can't tell. Say you have a system with several partitions (on the same disk or on different disks). You have Windows or Linux installed on several of these partitions. None of the systems has a partition of another system accessible as a drive letter (Windows) or mounted (Linux). Has anybody actually seen cross-infection (that is, one system got infected by a virus and it spread to the other systems on the other, not mounted, partitions) happen? I haven't. Gerhard -- http://www.piclist.com PIC/SX FAQ & list archive View/change your membership options at http://mailman.mit.edu/mailman/listinfo/piclist