Date Posted: August 27, 2001
Security is a big issue nowadays. Actually, it's always been a concern to many users. If you were afraid of getting robbed, you get an alarm system and the biggest dog you can buy. Others use infrared sensors or security cameras. Even if someone were to infiltrate your home or office, you do little things to make life hard for the crooks, like bolting things down, or using anti-theft steel cabling to latch onto devices. Industrial espionage is a problem, and some users need several security cards just to get into the computer room.
Now, we're not going to go that far for our home PC. In my opinion, everyone should have a personal firewall, and some kind of router. With broadband Internet, it just gets easier everyday to steal a person's info right off their PC. Despite the number of Windows 2000 security exploits announced daily, fact is, Windows 2000 is probably the most secure OS released by Microsoft. You have to configure it though, and not everyone knows how. There are a few things to do, but today, I'm going to explain NTFS (NT File System).
In a nutshell, Windows NT and 2000 can allow you to set file level security. This is especially useful if you share a computer with another user. How this works is that you can set a file you created to only be read, changed, or deleted by you. Useful if you want to hide your porn from your parents.
Windows NT/2000 is also secure in another way where you need a password and valid user account to get in. Basically, Windows needs to know you. There's no pressing ESC to get in like Windows 9x. (I'm going to spend a couple seconds explaining this for a bit) Assuming that you have a Windows account, when you log in, a profile is created for you. In this profile, documents you create, cookies, bookmarks, preferences,...it's all here. In Windows 2000, you can't access someone else's profile unless you're an administrator. Now, if you save a file outside of the default directory, usually the Documents folder, then it's fair game on your files.
Windows file security works in a few ways. Standard FAT16 or FAT32 file systems provides share level security. This means that if someone tries to access your computer over the network, you can either allow the person to view your folder contents or not. However, you cannot specify permissions to the subfolders or files in the folder themselves. Also, if the person is sitting on your PC, no matter how they log in, they can view the contents of the folder without problems. Not so with NTFS. NTFS, as mentioned earlier, allows file level security, as well as local security. NTFS also has other benefits such as long file name support and larger partition sizes, up to 16 Exabytes in theory, but more like 2 Terrabytes in practice. NTFS is also less prone to disk fragmentation, though it still happens.
Choosing a NTFS file system does present some problems though. Generally, it has more overhead. It's not recommended for hard drives or partitions less than 500MB. A big problem is that NTFS partitions cannot be accessed in DOS mode without a 3rd party utility. This poses problems for those wanting to access files in the event of a Windows failure. Imagine saving your work on the c:, and Windows crashes bad enough that you need a reinstall. Well, you're in for some headaches if you want to get to those files in DOS mode.
Due to the fact that most home users tend to be more abusive to their computers than a corporate user (installing various software, beta drivers, etc...), I generally don't suggest NTFS for them. Still, some people have important data that needs to be secure, especially in the age of broadband Internet. I still recommend a router, hardware or software based, and a personal firewall, but if you're dillegent about backups, and want another way to add security for free (other than MS security patches), NTFS is the way to go.
This guide is geared towards Windows 2000 users, but the principles apply to Windows NT users as well. We're going to look at three different ways of setting up your drives to NTFS. I'm not going to bog you down with too much info, like auditing and ownership (Windows NT terminology). The scope of the guide is to get you started towards a more secure computer.
There are 3 ways to format your drives into NTFS. Degree of difficulty and convenience will vary, depending on the situation. Your choices are:
1) Format as NTFS before installing Windows 2000
2) Format as NTFS, using Disk Management, in Windows 2000
3) Format as NTFS, in DOS window, in Windows 2000
Format as NTFS before installing Windows 2000
This is probably the easiest time to do it, assuming you're installing Windows from scratch. This will save you the problems of backing up your computer, since it's already cleaned up for a Windows install. Unlike regular formatting, you can't format the drive as NTFS from using a Windows 98 DOS boot disk. You're going to have to start the Windows 2000 install, and go through the first few steps.
Eventually, you'll be presented with the following screens.
Life will be a lot easier to just choose the c: drive to install Windows. Once you've made your choice, you'll be presented with the option of formatting the drive to NTFS. Select it, then continue with the install. Eventually, Windows setup will reboot.
Now, just to let you know, the drive isn't formatted as NTFS right away. It's formatted in FAT16 during the Windows setup. When Windows reboots, it then converts the FAT partition into NTFS.
When Windows setup finishes, we can configure security, which will be explained later on.
Format as NTFS, using Management, in Windows 2000
Let's say that you already have Windows setup, but didn't format it into NTFS, or it wasn't formatted in NTFS when it was given to you. Well, it isn't too late. Using a tool called Disk Management (Disk Administrator in NT), you can format whatever drives, except for CD drives, and your system (\winnt) drive.
If you practice good habits, and setup multiple partitions, you'll save files onto other partitions other than c:. This way, if Windows dies on you, your data is safe. However, this poses problems for you formatting your d:, e:, etc..., partitions in Disk Management. Formatting your drives in this tool will destroy all data on them. I said it once, I'll say it again, do regular backups and you'll be ok. If you don't have access to removable storage, then move all your data to another partition and format each drive one by one. I prefer this method over right clicking a drive in Windows Explorer and selecting format, because Disk Management provides a lot more options and you can see more of what is happening.
To get to Disk Aministrator, simply click on Start, then Settings, Control Panel, then double click Administrative Tools, then double click Computer Management. A new console will appear. Expand the Storage tree, and click on Disk Management.You'll get a window that appears like this:
Format as NTFS, using Disk Management in Windows 2000
Note: You will need to be logged in as an Administrator to do these changes.
Once the tool is open, you select which partition you want to reformat. Select it, then right click. A pop up window will appear, and you can select Format.
Another pop up will appear, and you can choose a volume name, file system and cluster size. I usually leave it at default. Make sure you choose NTFS, since that's the whole point of this guide. :P
It's best to not select a quick format since there may be errors if you have a shaky disk. I also wouldn't bother using file compression since it's going to slow you down.
Format as NTFS, in DOS window, in Windows 2000
Let's say that like example #2, your PC isn't formatted with NTFS. Also, let's say that you have no backup storage devices, and you have some large files that wouldn't fit on another partition. Windows includes a tool called Convert, which is suitable for this scenario. It does as it's name suggests, converting FAT to NTFS.
To use Convert, you need to go to a DOS window. Simply click on Start, go to Run, then type cmd. A dos Window will appear. At the prompt, type convert d: /FS:NTFS.
One of two things should happen. Either the format will proceed as expected, or it will tell you some message that the disk is in use and cannot be formatted. It'll ask if you'd like to do so on the next reboot. If you say ok, it'll reformat into NTFS next time you reboot your PC. Note that Convert is a one way trip. you cannot use the tool to go back to FAT.
So, that's pretty much it. How you're going to format it is up to you. Personally, if I didn't do it at the initial install, I'd use the convert tool, since it's the only way that I know of that you can covert your system drive without losing data.
Now that your drives are formatted into NTFS, how do you secure it? Simple, just fire up Windows Explorer by pressing Windows Key+E. Pick your newly formatted drive and right click on it.
Select properties, and a new window will appear. This is your local disk properties. Don't bother with the other tabs for now, and go straight to the Security tab. You're going to see that Everyone has full access to this drive. Typically, you should select everyone, and remove it, then add authenticated users. By default, they'll only have a few permissions. You can add more or take some away. Be sure to add yourself and make sure you have full control. Click Ok, and you'll be dropped back to Windows.
As I mentioned earlier, you can do the same thing to subfolders, and to the actual files themselves. Like security for folders, security for files works the same way. Right click on the file, select properties, security, then you'll be presented with the same interface as explained earlier.
Anyhoo, that wraps up my guide on NTFS security. There's a lot more to it than what I explained today, but the information I provided should get you on the right track. Don't forget that this isn't foolproof, and this does not replace the need for a personal firewall, strong passwords, and regular backups.