locked
Application Security Question RRS feed

  • Question

  • Ok this should be fairly simple.  Lets say I have a Drive Q that I don't want users to be able to access but I want my application to.  Is there some setting some place that I have to enable to get this to work.  I have a file reader that I wrote in VB and it is able to access the drive even though I don't have privelages to do so, but when I do the same thing with C++ I get access denied.  I'm sure I'm just missing some setting some place.

     Thanks!

    • Moved by Rob Pan Friday, August 26, 2011 8:19 AM (From:Visual C++ Language)
    Wednesday, August 24, 2011 7:17 PM

Answers

  • You can write the file-access code in a windows service, and when your apps need data it ask the service. In this way you only need to prompt the admin credential once, at install time. This is used by SQL Server to access data files as a different user.

    You need to property secure your service to prevent unwanted access. SQL Server has a rather complex security model. You can probably just authorize using your own windows user groups.  



    The following is signature, not part of post
    Please mark the post answered your question as the answer, and mark other helpful posts as helpful, so they will appear differently to other users who are visiting your thread for the same problem.
    Visual C++ MVP
    • Marked as answer by temlehdrol Monday, August 29, 2011 5:44 PM
    Saturday, August 27, 2011 3:32 PM
  • Drive access is regulated by NTFS permissions.  Any application is allowed or denied access based on its thread token.  The token is a piece of data that identifies the user the process is running under and it is independent of the language the executable was created with.  If you want an application to access certain drive, that application must run under the context of a user that has the necessary rights because applications cannot be granted NTFS permissions.

    If you want certain files to be accessible only by means of your application, then you can encrypt it in a way that only your application knows, because the user will still have access to the encrypted data.


    MCP
    • Marked as answer by temlehdrol Monday, August 29, 2011 5:43 PM
    Wednesday, August 24, 2011 7:40 PM

All replies

  • Drive access is regulated by NTFS permissions.  Any application is allowed or denied access based on its thread token.  The token is a piece of data that identifies the user the process is running under and it is independent of the language the executable was created with.  If you want an application to access certain drive, that application must run under the context of a user that has the necessary rights because applications cannot be granted NTFS permissions.

    If you want certain files to be accessible only by means of your application, then you can encrypt it in a way that only your application knows, because the user will still have access to the encrypted data.


    MCP
    • Marked as answer by temlehdrol Monday, August 29, 2011 5:43 PM
    Wednesday, August 24, 2011 7:40 PM
  • How would I give my application the ability to run under the user with the approporiate permissions?  Security enforcement is new to us so we've never had to do this :-)
    Wednesday, August 24, 2011 7:49 PM
  • If your application will run under the context of a user without the required NTFS permissions, you can use CredUIPromptForCredentials() to prompt the user for new credentials, then use the collected credentials in a call to LogonUser() to obtain the new token, and finally use ImpersonateLoggedOnUser() to execute the code that requires the NTFS permissions.  After you have done what you needed to do, you can call RevertToSelf() to undo impersonation. 
    MCP
    Wednesday, August 24, 2011 8:03 PM
  • That's seems a bit excessive to have to write into every application that we have, and it would require users having the login information for an administrator which would defeat the purpose of having security?  Or am I reading this wrong?
    Wednesday, August 24, 2011 8:17 PM
  • You only need to do this if the logged on user has no rights over the NTFS files of interest.  Of course the easiest is to grant the user's username the NTFS permissions and be done with it.  So in the end it is unclear what you need:  If you need something like NTFS permissions per application, that doesn't exist.  You'll have to work around the fact by encrypting the files of interest as I mentioned already.

    If you are after something else, I think we (or I) need a more thorough explanation.


    MCP
    Thursday, August 25, 2011 12:09 AM
  • Hi,

     

    According to your description, it seems that your thread is about Security for application, So I will move it to the correct forum for better support Thanks for your understanding.

     

    Best Regards,

    Rob


    Rob Pan [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Friday, August 26, 2011 8:19 AM
  • You can write the file-access code in a windows service, and when your apps need data it ask the service. In this way you only need to prompt the admin credential once, at install time. This is used by SQL Server to access data files as a different user.

    You need to property secure your service to prevent unwanted access. SQL Server has a rather complex security model. You can probably just authorize using your own windows user groups.  



    The following is signature, not part of post
    Please mark the post answered your question as the answer, and mark other helpful posts as helpful, so they will appear differently to other users who are visiting your thread for the same problem.
    Visual C++ MVP
    • Marked as answer by temlehdrol Monday, August 29, 2011 5:44 PM
    Saturday, August 27, 2011 3:32 PM
  • It always amazes me when something works right out of the gate in VB and you have to spend hours to do the same thing in C++.  So in short, I have to either create a windows service to access the drive/folder, I have to rewrite everything in either C# and or VB (which obviously isn't going to happen), I can give users access to folders I don't want to give them access to, or say the hell with security.  You'd think by 2011 you'd be able to assign applications security privileges, but I guess no one has though of that yet.

    Anyone know where I can submit that suggestion, perhaps by the time I retire in 15 years they can get that one working?

    Monday, August 29, 2011 12:56 PM
  • I thought the description was pretty decent and straight forward.  I deny access to a specified drive/folder for users of a certain group and I can still access that drive/folder with a VB application, yet when I do the same thing with a C++ app I get access denied.  Not really sure how much more thorough of an explanation I can get.  I'm not trying to be sarcastic or anything here just a bit frustrated with the lack of continuity between languages in VS.

     

    Monday, August 29, 2011 1:04 PM
  • When in doubt half ass it... I'm just going to hide the drives so the regular users won't be able to see it when they go to "computer".  98% of them aren't smart enough to just put the drive letter in the bar, so this should solve this issue.  Though it would be nice eventually to have a better way of assigning rights to applications.
    Monday, August 29, 2011 5:43 PM
  • Sorry Pavel but that is the case, I can deny access to all users for a share and my VB application can still access it, however the C++ one can't.  Give it a shot and let me know if you find different.
    Tuesday, August 30, 2011 11:25 AM