locked
application has file access, user doesn't RRS feed

  • Question

  • I need to write an application that has access to a user name/pin file and a log file (like a .csv file), but the user doesn't have access to the files, just admin. Is that even possible? I saw something about protected storage service, but I don't know if that would work nor can I figure out how to add anything to it. I found how you can turn it off and on, but not how to use it. Like add/change any of the data in it.



    • Edited by TonyInMD Wednesday, March 14, 2018 5:51 PM
    Wednesday, March 14, 2018 5:50 PM

All replies

  • First, see Implementing Least-Privilege Administrative Models. You seem to want to do it the right way and only grant the privileges you need. Good for you. If anyone says to use Administrator privileges then you can say you believe in least privileges.

    I found Installing a Package with Elevated Privileges for a Non-Admin (Windows) that might help.



    Sam Hobbs
    SimpleSamples.Info


    Wednesday, March 14, 2018 6:33 PM
  • I need to write an application that has access to a user name/pin file and a log file (like a .csv file), but the user doesn't have access to the files, just admin.

    Simplistically, in windows permission to access a securable object (e.g., folder, subfolders, files) is tied to user accounts, not to application programs.  So in the scenario above, if access to a file is restricted to Administrators, then only members of the Administrators group will be allowed access.

    If a standard user attempts to start an application with "run as Administrator" then an Administrator will be required to respond to the system UAC prompt to allow the elevation (i.e., "over the shoulder elevation").  After that is done, the program will be running under the Administrator's account, not the account of the standard user.  Again, permission is tied to the identity not to the program.



    • Edited by RLWA32 Wednesday, March 14, 2018 10:31 PM
    Wednesday, March 14, 2018 10:30 PM
  • Something that I might be able to get past the powers that be, if I can set it up so that the user has to log into the app with a user name/password. The passwords would have to be set up so that sys admin can access/change the user name/password but the user couldn't. I saw something about Protected Storage service that looks like it can hide passwords, but I found nothing on how to set it up with passwords. This program is to log when a user logs on/off a computer where there are multiple users on a shared account. (I know, this is a pain in the ***). The program only appends the file, it can't overwrite anything. Ideally, the user (and program) can only access the log file after they log in with read and (if necessary) append privileges. I can set the program up to file:append but not file:write. Another option would be to only be able to append the file, but not read it. Read privileges reserved for sys admin. I know this is asking a lot, but I know absolutely nothing about setting up security. If they're going to have me do a lot of this kind of stuff in the future, I'm going to check if I can take a class somewhere to learn at least the basics. I don't have time to go to school right now, this has to be finished SOON.
    Thursday, March 15, 2018 10:37 AM
  • You can use a windows service to manage the log file.  It would track logon/logoff of the shared account and write entries to the log file as required.  Since windows services start before users log on and continue running when users log off this seems to be a good approach.  The account used to run the service would need full access to the log file.

    The log file itself could be situated in the file system with appropriate NTFS permissions so that the desired users (or members of a custom user group) are only allowed to read the log file.  Additionally, Administrators would be allowed full control of the log file.

    Thursday, March 15, 2018 11:24 AM
  • I just got out of a meeting on this thing. I told them in a nice way that they're crazy, you just can't do it. Tell me if I'm right.

    The program has to have multiple people logged into the shared account at the same time.While the shared account is open, a user can walk up to the computer, click a button, and log in with a password. This can happen for multiple people at the same time. They want the fact that they logged on to go into a file. The want the user to be unable to look at or write to the file. All this while only one session of the shared user account being used. Multiple users under one shared account session. I told them, if the program has access for read/write, the user has access for read/write. You can't have it both ways.

    Thursday, March 15, 2018 2:47 PM
  • The program has to have multiple people logged into the shared account at the same time.While the shared account is open, a user can walk up to the computer, click a button, and log in with a password. This can happen for multiple people at the same time. They want the fact that they logged on to go into a file. The want the user to be unable to look at or write to the file. All this while only one session of the shared user account being used. Multiple users under one shared account session.

    This doesn't make much sense to me.  What's to prevent anyone from walking up to the computer (already logged on to the shared account) and using it without running the program that is to record these private logon?  If multiple people (even if they have complied with the private logon requirement) use the computer under the shared account how can you control any access to anything?  Windows only knows about the shared account, not the private logons recorded by the application in some data file.

    Having said all the above, you can introduce a level of indirection to separate the application that is used for private logons from the data file used to record them.  For example, the data file is owned by a separate user account and managed by a program that runs under that user account. The shared account does not have access to the data file.  Lets call this program the server program.  It runs in the background and waits for the client program to connect to it.  The client program is the one that users of the shared account are allowed to run.  The client program makes requests of the server program to record logon information.  That way the client program doesn't directly access the data file. 


    • Edited by RLWA32 Thursday, March 15, 2018 3:42 PM
    Thursday, March 15, 2018 3:26 PM
  • First off, thanks RLWA32 for all the help. The first paragraph of your reply is why I told them they were nuts and it couldn't be done. I reference to the second paragraph, I think I see how that might work, but my question is, would the "server" account have to be logged in and running? Would it be required for the server account to be logged in and then switch user selected? If so it won't work because I have to be able to do it with only one (the shared) user account open. I can't have two running at the same time. At least, if I understand Windows correctly, the server account would also have to been opened and running, even if it's not the currently logged in user account. Was that confusing enough?
    Thursday, March 15, 2018 4:18 PM
  • First off, thanks RLWA32 for all the help. The first paragraph of your reply is why I told them they were nuts and it couldn't be done. I reference to the second paragraph, I think I see how that might work, but my question is, would the "server" account have to be logged in and running? Would it be required for the server account to be logged in and then switch user selected? If so it won't work because I have to be able to do it with only one (the shared) user account open. I can't have two running at the same time. At least, if I understand Windows correctly, the server account would also have to been opened and running, even if it's not the currently logged in user account. Was that confusing enough?

    You're welcome.  Simplistically, what they want can't be done using only one application.  Theoretically, you could use impersonation to allow one applciation to access the data file under a different windows account, but that could conceivable create an exposure by revealing an account name and a password embedded in the application.  That's why I suggested the indirection.

    The server program could be a windows service that would be automatically started by windows.  The account used by the service would not be an interactive logon so you don't have to worry about not being able to use the shared account for logging onto the system interactively.  Similarly, the server program could be started at system startup by a scheduled task.  Again, interactive logon using the shared account would be available.  There would be no "switching".




    • Edited by RLWA32 Thursday, March 15, 2018 5:17 PM added clarifications
    Thursday, March 15, 2018 5:08 PM
  • Simplistically, in windows permission to access a securable object (e.g., folder, subfolders, files) is tied to user accounts, not to application programs.  So in the scenario above, if access to a file is restricted to Administrators, then only members of the Administrators group will be allowed access.


    I really think this is misleading. There are many programs in Windows that execute as some user other than the user logged in and not an Administrator. There are very many other accounts in Windows by default and it is possible to configure accounts with custom privileges. It is so common in Windows as to be considered a fundamental feature. Yes, it is technically incorrect to say that a program has specific privileges but programs can be installed to execute as a user with elevated privileges. An administrator can install a program such that it executes as a user that has elevated privileges and then the program can be used by users with less privileges.


    Sam Hobbs
    SimpleSamples.Info

    Thursday, March 15, 2018 8:36 PM
  • >>There are many programs in Windows that execute as some user other than the user logged in and not an Administrator. There are very many other accounts in Windows by default and it is possible to configure accounts with custom privileges. It is so common in Windows as to be considered a fundamental feature.

    What are you talking about and how is it relevant to the OP's post or the subsequent discussion?  I already talked about how access control is based on identity.  I also briefly mentioned impersonation.  This comment adds nothing to the discussion.

    >>Yes, it is technically incorrect to say that a program has specific privileges but programs can be installed to execute as a user with elevated privileges.

    And "over the shoulder elevation",  was already covered in my earlier post.  Again, this adds nothing.

    >>An administrator can install a program such that it executes as a user that has elevated privileges and then the program can be used by users with less privileges.

    Really? And how is this bit of magic accomplished from a standard user account without an elevation prompt? Again, elevation and impersonation were already covered.

    Finally, I suggest you consider that I started the paragraph to which you took exception with the word "Simplistically, .."


    • Edited by RLWA32 Thursday, March 15, 2018 9:35 PM reminder about "Simplistically"
    Thursday, March 15, 2018 8:59 PM
  • Can you do the installation or can some other administrator? If it is possible to do that and if the application can then work as you describe (without requiring an administrator's presence after installation) then would that satisfy requirements?

    In subsequent posts you say you are considering requiring that they sign into the application. Windows can support multiple users (but with only one logged in (active) user at a time of course).

    Windows 10 also supports use of PINs instead of passwords but I don't know if that works for multiple users. Users can log in and log off without shutting down the system. It seems reasonable to me to use the Windows authentication instead of a custom authentication. If you must develop a custom authentication mechanism then see the following.



    Sam Hobbs
    SimpleSamples.Info


    Friday, March 16, 2018 8:14 AM
  • The OP wants something like a "setuid" program in Unix. If this is a student assignment, he can just do it on Linux.

    In Windows, there are 3rd party products that can automatically elevate selected programs.

    -- pa


    Friday, March 16, 2018 12:11 PM