Setting Permissions on a USB hosted Volume File System using \\.\?: fails to prevent access to the drive. RRS feed

  • Question

  • Hi,

    I have taken code from the old "FlopLock.c" Service source code that secures Floppy/CD/DVD Drives and added Device Event Notification code to dynamically secure inserted volumes.  It works fine on CD/DVDs.  My code successfully adds the Administrator Only permissions to volumes on the USB flash drive.  I set the security using:

                hFile = CreateFile(strFileName,                 // lpFileName
                                    READ_CONTROL | WRITE_DAC,   // dwDesiredAccess
                                    0,                          // dwShareMode
                                    NULL,                       // lpSecurityAttributes
                                    OPEN_EXISTING,              // dwCreationDisposition
                                    FILE_FLAG_BACKUP_SEMANTICS, // dwFlagsAndAttributes
                                    NULL );                     // hTemplateFile
                if (hFile)
                    dwErrorCode = SetSecurityInfo(hFile,
                                                    NULL,                        // psidOwner
                                                    NULL,                        // psidGroup
                                                    pDacl,                       // pDacl
                                                    NULL);                       // pSacl

    I verified the ACLs are different by calling:

    GetSecurityInfo to get the SecurityDescriptor

    Then call ConvertSecurityDescriptorToStringSecurityDescriptor to get the string version.

    The ACLs are changed.  But, while accessing the CD-ROM is denied, access to the USB volume is allowed.  It cannot be related to NTFS volumes as the CD/DVD is UDF format and Read-Only.  The USB is FAT32 and Read-Write.  This works with floppies with are either FAT or FAT32 and are Read-Write also.  This leads me to believe it is NOT File System Type nor Read-Only/Read-Write related.

    I believe referencing \\.\\?: is in affect referencing an internal and dynamic data area.  Hence the need to do this in a service so that upon a reboot, the security can be set again.  The question is why is the security being honored for Floppies and CD/DVDs, but not for USB drives.   I have NOT tested other drive source types (SCSI, SATA, FireWire, etc.) so I have no idea is this is a USB only issue.

    Does anyone have suggestions or ideas as to what is going on?  I would ask someone who may have an idea, but I don't know how to contact him (Felix Kasza).



    Wednesday, January 27, 2016 3:20 AM

All replies

  • Maybe this is because CDs and floppies are removable *media* devices. USB drives are mostly "fixed disks" (though there are also "removable-media" USB drives). There might be some difference in applying security descriptor to these 2 types.

    Why don't you use the security policy for USB device class? or for removable storage?

    -- pa

    Wednesday, January 27, 2016 10:47 AM
  • Thanks for the reply.  I have looked into that.  It seems very complex to get what I want.  My method would be much simpler.  If I could apply permissions like I wanted, I could simply allow Group Access to removable media.  It would get applied to any mounted Volumes.

    Also, I have the ability to write code to facilitate what I need.  I expected USB volumes to work the same as Floppy or CD/DVD.

    I will see if I can get the same result by modifying the user and system registry instead.


    Thursday, January 28, 2016 4:20 PM