Securing a RPC service

I'm writing a small services which will store files on disk and later, on request, r开发者_运维问答eturn them to the client.

I'm looking over my options when it comes to securing this service so no unauthorized program can read/write the data.

The simplest solution would use impersonation so that the service thread handling the call impersonate the client and have the file system sort out what can be done or not.

The problem here is that the service itself has to be able to read the files without the impersonation (periodical functions running in the background).

I do have read the following chapter on MSDN, I'm looking for practical tips that you or other have used in the past to secure such service.

http://msdn.microsoft.com/en-us/library/aa373582(v=vs.85).aspx

You typically only impersonate while handling a client request. The rest of the time, the service is configured to use a system account (usually THE system account) that has (or is configured to have) full privileges to do its necessary tasks.

The security issue to watch out for is of course, ensuring that a user can't elevate themselves to that account.

When you install a service, one of the things you need to put some thought into is choosing the service account. Either using one of the built in accounts, or creating a special purpose account for your service. There are built in accounts for "LocalService", "NetworkService", "LocalSystem" iirc, otherwise you can pick an existing or new user or administrative account (not recommended).

When you create the files (assuming you don't pass any explicit ACL information) they inherit the inheritable access rights of the owning folder. These you setup such that "users (a group including your impersonated users)" have create rights. "owners" have read/write. and "your default service account" has full control.

This means that your service, when not impersonating anyone, has full access to the files. When impersonating someone, can only read/write that particular users file.

Any regular users logged onto the Server will also not be able to access the files (unless they happen to be the impersonated users). Administrators can take ownership however, and then assign themselves read/write access. There is no defense (nor should there be) from local administrators.