Windows: add security restrictions to current process?
I'm writing a web service (mostly in .NET, but there's some unmanaged code, too). I'm trying to avoid adding any vulnerabilities (obviously...), but it's alwyas possible (esp. since there's some unmanaged code, both by own & libraries, to which data from files/network is passed). UAC + DEP helps, but you never know. So I was wondering if there's a way to tell Windows to restrict certain acti开发者_JAVA技巧vities for a process? For example, if the process tries to fork or execute any system command, it should directly refuse to do it. Is there a way to do this?
You can set your application to execute in a lower trust level than full trust, and some permissions will be denied by default. See this breakdown of trust-levels and what they grant.
If you want to be very specific with what to grant, and what to deny, you might want to look into AppDomains, which gives you very good possibilities to set, for instance, file-system or net access privileges individually.
The .NET concept you're looking for is called "permissions". There is an additional level of protection offered by Windows itself, "privileges".
精彩评论