[Box Backup] How to secure Box Backup on Windows clients?

E.W. Peter Jalajas boxbackup@fluffy.co.uk
Mon, 11 Jun 2007 11:46:05 -0700 (PDT)


Hi all,

I'd like to make sure that I am securing sensitive Box Backup application files on my Windows clients.  

First, let me confirm that I only really need to secure the *FileEncKeys.raw file from prying eyes--true? If someone gets a hold of that file, they can obtain decrypted files from the server, right? 

On client machines like Windows 2003 Server in a Windows domain (presuming NTFS), I can right-click the *FileEncKeys.raw file, click Properties, Security, and then remove all Users and Groups except that as which the Box Backup service runs, presumably the "Administrators" group.  Most importantly, I think, I should remove the "Authenticated Users". What should I do with the "SYSTEM" user?  Is there anything else I should know about this? I want to make sure that I don't break Box Backup in some way by over-tightening the permissions on the Keys file.  Are there any other Box Backup Windows client files which we should handle specially?

File permissions on other Windows machines explained fairly thoroughly here:
http://support.microsoft.com/kb/304040
http://support.microsoft.com/kb/308418
http://www.microsoft.com/windowsxp/using/security/learnmore/accesscontrol.mspx

On Windows XP Home with NTFS, per http://support.microsoft.com/kb/308418 , it looks like one must reboot into Safe Mode, and then lock down the Keys file that way.  

For Windows XP Pro, it'll depend upon whether you have Simple File Sharing on or not (and whether the Keys file is on NTFS). 

I don't think FAT users can secure the Keys file.

I'll summarize the results of this thread on the wiki as part of setting up the client on Windows, 
http://bbdev.fluffy.co.uk/trac/wiki/ConfiguringAClient 

Thanks,
Pete