Prevent Access to a directory using C#
I am trying to create a program similar to Folder Lock which prevents users from acces开发者_JAVA百科sing a particular folder. I tried using DirectorySecurity class and AccessRules to change the AccessControl for folders.
However, the settings which i assign can easily be changed by going to "Security Tab" and changing the permissions.
Is there any secure way of preventing access to directories ?
I think my answer to this question: "How could I prevent a folder from being created using a windows service?" is probably what you'd need to do to achieve what you want:
Unfortunately I don't know anywhere near enough about the how to help you, but I'm fairly sure that you'll need to either write or obtain a File System Filter Driver that can communicate with your windows service to tell it that someone has attempted to create a directory/file so that your service can make a decision for it. This way when someone/something attempts to create a file or folder that's not allowed they could be returned "Access Denied" or another Win32 error of your choice.
If you did go down the route of using a driver, I'd guess it'd still be best to do the heavy lifting of deciding if the creation/modification in the service, i.e. outside of Kernel mode.
As long as a user is the owner of directories or files, he can change the permissions. You'd have to change the ownership of the directories in order to really secure the directories (and making this change of ownership requires administrative rights). But a user with administrator right can always take the ownership back.
If you are in an enterprise and people are not admins of their machines, you could write a Windows service that runs as domain admin and makes the needed changes. In a home environment, there's no way.
There are 2 things which can overrule the rights of a local administrator.
- The domain policy (but your pc has to be a member of a domain)
- A process running under SYSTEM privileges (drivers for example), this is the way virus scanners and rootkits work, they analyse your file system request before the results reached the user, and intercept it if deemed necessary.
But the second option you can't do with c#, and the first option is more a Active Directory configuration solution.
No, you can't prevent the computers administrator account from accessing or taking ownership of any folder.
You can prevent restricted accounts (as you have described), but the administrator will always be able to change the security settings.
精彩评论