When BestCrypt DataShelter protects folders from unwanted programs and users, it applies some Protection Policy to the folder. The user can create such a policy keeping in mind a concrete folder, or create the policy from general considerations.

As soon as you add the folder to the list of protected folders, the program displays dialog window with the properties of the folder. By default, the program assigns the least restrictive policy to the folder allowing all the programs and users to access the folder. You can change the policy by clicking the Set policy button in the Folder properties dialog window.

Properties of the protected folder


Properties of the protected folder


BestCrypt DataShelter allows also creating new policies based on existing policies. In the main window of the program select some policy in the Policy combo box and click the Edit / Create button.

Edit policy


Default policy allowing all the programs and users to access the protected folders


If you want to allow all the users to access the folder, set the All users radio button. It is possible to set an exception from that and click the Exceptions not set link. The program will show you the exception list and you can add or remove users from the list. The users from the exceptions list will not be able to access files in the protected folder.

Alternatively, you can allow only a few users to access the folder. To do that click the Selected users radio button and then the Add button to the right of the list of the selected users. The program will show you the list of the users registered on your local computer and in your domain. Mark the users from the list who should be able to access the folder. Chapter Using BestCrypt DataShelter explains the idea of selecting only a few user accounts for accessing the folder. For example, you allow only your own user account to access the folder. If the attacker is able to access your computer, he/she should steal exactly your user name and password to read the contents of the protected folder, not any system embedded or default "Administrator" account.

Chapter Using BestCrypt DataShelter explains also two approaches of allowing All programs to access the folders with exceptions, or allow only Selected programs to access the folder. When you choose the Selected programs option, you can list the programs explicitly by setting the Manually selected programs option. To add the program to the list, click the Add button to the right of the list of the selected programs. BestCrypt DataShelter will show you all the programs installed on your computer and you can mark those of them that you trust to be able to read data in the protected folder.

Besides listing the trusted programs one by one, you can select a class of programs allowed to access the folder. Click the All signed programs option to allow securely signed executables to read files in the folder. As explained in the Code signing article: "Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed". So by setting the All signed programs option you will trust the vendors who securely signed their software to guarantee that their programs will not contain code harmful to your data.

A number of the Windows operating system embedded components are protected by "Windows Resource Protection Service" (WRPS). Although it is not absolutely necessary for these utilities to access all files in all folders, you can allow them to access your protected folder by setting the Programs protected by the "Windows Resource Protection Service" (WRPS) option. Please note that when you look at the list of programs in various BestCrypt DataShelter lists, you may pay attention to the columns Signed and WRPS protected. Surprisingly, some WRPS programs are not securely signed by Microsoft (that we would highly expect), and it is the reason why the WRPS option exists as a separate option in BestCrypt DataShelter.

Chapter Protection policy overview explains the option All the related processes must be signed or protected by WRPS. BestCrypt DataShelter monitors communications between processes (read also What is BestCrypt DataShelter article). BestCrypt DataShelter remembers information about parents and grandparents of all the processes. It detects and remembers events of opening the process by other processes. So if you allow some program to access the folder, by setting the option you will also require that all the interprocess communications with the program should happen only with trusted and signed programs.

Finally, if you choose to use all the possible settings for the protection policy, it can look like the following picture illustrates.

Edit policy


Protection policy with all the options set


See also:

Using BestCrypt DataShelter

Properties of the protected folder

Protection policy overview

Code signing article in Wikipedia