I’m not much of a fan of Windows, but a couple of applications that I use a lot (Quicken and Adobe Lightroom, for example) don’t run on Linux. Also, gaming on Windows is still much easier than gaming on Linux. As a result, I use Window 7 Ultimate as my main computer. Yesterday, when I was trying to tweak my backup processes, I ran into such bizarre problems with file permissions in Windows it drove me crazy.
My data backup is pretty simple: on a nightly basis I have a Powershell script that runs the command-line version of WinRAR to add my data files to a backup file, which I copy to my backup volume (and occasionally to an external backup hard drive). The problems started when I wanted to start backing up Julia’s account on this computer. Although she almost never uses it, I started backing up her Gmail account to it, and I also decided to back up her iOS devices to this computer here instead of the laptop she rarely uses. Hence, I needed to add her User directory to my list of files to back up.
I didn’t expect to have access to her User directory from my account, but lo and behold, I did. Her account also had access to my directory. How did that happen? I have no idea. I went through each user’s directory and set it up so that only the user had access to it as it should. Step one completed.
I had run my backup script from my account, but that didn’t seem right now that I was planning on backing up multiple user accounts. There is a group in Windows called “Backup Operators” that allegedly has the ability to backup data regardless of file system permissions. Logically, then, this seemed like a good candidate for a place to put a backup user account. So that’s what I did: created a Backup user, created a strong password, and set it so that it can only run as a batch job and denied logon locally (non-interactive accounts FTW!). I added it to the “Backup Operators” group, and set my scheduled task to run the Powershell script from that account.
Those who know more than I do about Backup Operators can guess what happened next: it failed. See, Backup Operators only grants access to data for backup purposes if you use the Windows Backup API, not my Powershell script. So that was a no go.
After I learned that this would not work without further tweaking, I tweaked: I figured if I explicitly gave the Backup Operators group read access to the everything I needed to back up, that would work regardless of API use. Sure, there’s a risk with giving that group explicit read rights, but the protections I put around the Backup user (strong password, non-interactive) minimized the risk. So that’s what I did: I gave the Backup Operators group read access to the User’s directory.
Lots of folders in that directory (and on C: in general) blocked inheritance, which is a pain, and forced me to explicitly add rights to particular folders. But eventually I did, and my Effective Permissions check showed that my Backup user had read rights to all users’ data via the Backup Operators group. So I ran it again….and it failed. WTF?
For some reason, despite being in the Backup Operators group, the Backup user did not have access to the User directories. I had to grant the rights to the Backup user itself (always bad practice) to give it access to those directories. Only when I did that did it work….
Kinda. This brings me to the last piece of the puzzle, and the straw that broke the camel’s back. I use Encrypting File System (EFS) to encrypt most of my data in my Documents folder. This limits access to the data by accounts other than mine, and prevents reading the data directly from the disk outside of Windows (I used to use Knoppix to recover data from Windows volumes that would not boot in my past life, which was good for me but bad security). Technically, with EFS you can allow other users to access encrypted files, but you have to grant that to Each. Individual. File. I could not simply grant the Backup user access to my encrypted Documents folder and contents en masse. No way was I going to do that for each individual file, and then what about new files? Forget it.
In the end, I went back to what I was doing before: I’m running the backup script with my account, and I’ve granted my account read-only rights to Julia’s account to back up her data. I don’t like it, but Windows won’t let me do something else easily. It’s 2014, Microsoft: can we get an grown-up OS? Oh, right, we can’t.