Setting permissions specific to a process in windows - windows

There is some confidential data of user that I am encrypting using DPAPI. This encrypted data is being stored in a file and is placed in %LOCALAPPDATA% folder.
How can I prevent other processes from accessing that file, since any other process running in the user session can decrypt it. Does windows have some provision to facilitate my requirement or is this a path that should not be pursued to protect the data?

Related

How to change user.home for websphere liberty

I am trying to create a liberty cluster. While generating the keys, liberty is creating some keys under logged-in user's home directory which is c:\users\xyz\ .ssh.
How do I say liberty to save the keys under d:\users\xyz\ .ssh?
I need this because, i am working in citrix environment and c drive image is always replaced upon restart and I am loosing the keys forcing me to create the cluster again or save a copy of the keys before I log out for day.
Did you try displaying options for registerHost action like this:
D:\Liberty\wlp\bin>collective.bat help registerHost
it shows rpcUserHome param, which might be what you are looking for:
--rpcUserHome=path
Optional. The home directory for the user with which to authenticate
to the RPC mechanism. Defaults to the current OS user home directory.
This value is used when generating SSH keys.

adding registry key for Windows local SYSTEM user

I am somewhat new to Registry Keys in Windows. What I want to do is add a registry key ONCE that will take effect on the local SYSTEM user (for as long as my program is installed). This registry key will need to be added through a batch file while logged on as a regular user (not the SYSTEM user). What I am doing exactly is running a batch script that creates a windows service. This service is running as the local system user. The service is trying to do something that requires a registry key to be set. I tried manually setting the registry key in HKEY_LOCAL_MACHINE but I am still hitting the roadblock when my service is run. Is this the correct place to change registry keys so that the local system account will see them? Any knowledge on the subject would be greatly appreciated!

Moving Windows 7 encrypted file

I am testing Windows 7 file encryption. A test file was encrypted ( I see green colored file name). that file was shared across the network and it still can opened from other station. That green color file name is also viewable from other computer as well. What am I doing wrong? I admit that I don't know the encryption concept yet.
If I moved that file to shared folder of other computers, message appeared asking "Confirm encryption loss". How can I copy that file with encryption?
I know Truecrypt software but I am testing with Windows Encryption.
The NTFS file encryption is using your password hash to encrypt the file.
If you connect to the file from another computer you need to supply the user's password, which means the remote computer has the key to decrypt the file.
If you copy the file from the share to the local computer windows will save the key in the remote computer.
The whole idea in the filesystem encryption is that another user cannot use your encrypted files, or someone that get a hold on your hard-drive. But, if you're logged in, all the running applications that has been executed by you or have access to your token (for example, SYSTEM user) can access the file without ever knowing it is encrypted on the disk.
Be careful of encryption! Some encryption systems for Windows will automatically encrypt your files/folders for you. This is common in gov't/corporate computers. If you do NOT have this set, and then another user on your computer who DOES have this set accesses your file/folder, the file/folder can get encrypted with that other user's token, and then you won't be able to access your own file/folder!
This actually happened to me last week. Took a whole day to figure it out, because Windows won't tell you WHO encrypted the file, just that it wasn't done with your current token. Aaargh!
(This won't happen if permissions are set to ReadOnly, but in a collaborative environment sometimes permissions aren't set that way.)

What's the best way to (programatically) determine a file's network origin?

For an application I'm writing, i want to programatically find out what computer on the network a file came from. How can I best accomplish this?
Do I need to monitor network transactions or is this data stored somewhere in Windows?
When a file is copied to the local system Windows does not keep any record of where it was copied. So unless the application that created it saved such information in the file then it will be lost.
With file auditing file and directory operations can be tracked, but I don't think that will include the source path with file copies (just who created it and when).
Yes, it seems like you would either need to detect the file transfer based on interception of network traffic, or if you have the ability to alter the file in some way, use public key cryptography to sign files using a machine-specific key before they are transferred.
Create a service on either the destination computer, or on the file hosting computers which will add records to an Alternate Data Stream attached to each file, much the way that Windows handles ZoneInfo for files downloaded from the internet.
You can have a background process on machine A which "tags" each file as having been tagged by machine A on such-and-such a date and time. Then when machine B downloads the file, assuming we are using NTFS filesystems, it can see the tag from A. Or, if you can't have a process at the server, you can use NTFS streams on the "client" side via packet sniffing methods as others have described. The bonus here is that future file-copies will retain the data as long as it is between NTFS systems.
Alternative: create a requirement that all file transfers must be done through a Web portal (as opposed to network drag-and-drop). Built in logging. Or other type of file retrieval proxy. Do you have control over procedures such as this?

Getting/setting security attributes of files on a network share

I am able to get/set security attributes (group, owner, DACL, SACL) of files on a NTFS volume by using the GetSecurityInfo/SetSecurityInfo API. The handles I pass to these APIs must be opened with specific access rights (READ_CONTROL, ACCESS_SYSTEM_SECURITY, WRITE_DAC, WRITE_OWNER) which require certain privileges (SE_SECURITY, SE_BACKUP, SE_RESTORE) to be enabled while creating them with CreateFile, which is no problem at all if the files are located on an NTFS volume, and of course if the calling process has sufficient rights. There is a problem, however, if the files are actually located on a network share - creating the file handles would fail with ACCESS_DENIED(5) or PRIVILEGE_NOT_HELD(1314). I guess this is due to the fact that the attempt to create the file handle is actually made on the remote machine in the context of a network logon session which represents my user on the remote machine, and the required privileges are not enabled for that remote process. Is there a way I can get past this limitation, i.e. be able to get/set security attributes of files on network shares?
A similar problem is getting a handle to a directory on a network share. While being able to do it locally (by using FILE_FLAG_BACKUP_SEMANTICS), I understand that this particular flag is not redirected to the remote machine, which I believe is the reason I can't open a handle to a directory on a network share. Is there a way to do this?
Well, it seems I was the one at fault here - I have been testing this case with a user which, although an administrator on my local machine, is a regular restricted user on the file server, which caused all the trouble. You can copy security attributes and open handles to directories on a network share if you connect to it with a user which has sufficient rights on the file server which is sharing the resources.

Resources