follow up to: Windows Filesystem Minifilter Drivers: can I monitor and prevent FS operations using them?
I'm looking for a method to filter access to certain file system resources. This includes removable media and non-ntfs file systems - so standard ACL won't work.
from what I read, a files system driver filter might be helpful - but I didn't find a way to get the user id of the initiating user. Is this possible?
other recommendations \ references to existing tools are also welcome.
I am not sure what does "user id" mean. But this might be useful:
- When handling IRP_MJ_CREATE look at IrpSp->Parameters.Create.SecurityContext->AccessState.
- ACCESS_STATE contains SecurityDescriptor and SubjectSecurityContext.
- From SubjectSecurityContext you can retrieve PACCESS_TOKEN if you need it (call SeLockSubjectContext and SeQuerySubjectContextToken).
Have a nice day!
In most cases obtaining security information (token) of the user that initiated the call is possible, at least for operations such as file open and directory enumeration (and these are main points of filtering when you plan to prevent access of the user to the resource). And then you can cancel or modify request as you need. The only limitation I can think of is when the network redirector accesses the disk on behalf of the remote user impersonated as local system account. But these are border cases that you would need to investigate yourself in your particular task.
follow up to: Windows Filesystem Minifilter Drivers: can I monitor and prevent FS operations using them?
I'm looking for a method to filter access to certain file system resources. This includes removable media and non-ntfs file systems - so standard ACL won't work.
from what I read, a files system driver filter might be helpful - but I didn't find a way to get the user id of the initiating user. Is this possible?
other recommendations \ references to existing tools are also welcome.
I am not sure what does "user id" mean. But this might be useful:
- When handling IRP_MJ_CREATE look at IrpSp->Parameters.Create.SecurityContext->AccessState.
- ACCESS_STATE contains SecurityDescriptor and SubjectSecurityContext.
- From SubjectSecurityContext you can retrieve PACCESS_TOKEN if you need it (call SeLockSubjectContext and SeQuerySubjectContextToken).
Have a nice day!
In most cases obtaining security information (token) of the user that initiated the call is possible, at least for operations such as file open and directory enumeration (and these are main points of filtering when you plan to prevent access of the user to the resource). And then you can cancel or modify request as you need. The only limitation I can think of is when the network redirector accesses the disk on behalf of the remote user impersonated as local system account. But these are border cases that you would need to investigate yourself in your particular task.
0 commentaires:
Enregistrer un commentaire