Customizable security in NTFS? Needs to be extensible & dynamic

---

• From: Chuck Chopp <ChuckChopp@xxxxxxxxxxx>
• Date: Tue, 17 Jul 2007 10:41:46 -0400

---

I'm very familiar with the Win32 Security API functions for managing NTFS permissions. However, I've come up with a need to have a more dynamic way of updating the effective access rights to a folder or file on-the-fly. Since a user's access-token is generated at logon time, adding the user to new security groups doesn't alter the effective security until the logout and logon again. I also don't want to alter the existing DACL because there may already be other ACEs with the user's SID in them that provide some level of access, but the set of rules to be applied for determining allowed & denied access levels may change frequently and modifying ACEs that may be in heritable could impose an overhead on the system that's not acceptable in terms of resources spent propagating inheritable ACEs.

I'm looking into file system filter drivers in an attempt to determine if there's a way that a filter driver layered on top of NTFS would allow me to implement this more sophisticated type of security. It would appear that in Win2K3 R2, the file filtering and directory quota features are implemented as filter drivers rather than being integrated directly into NTFS itself, so I'm thinking that I'm on the right track here. However, it wouldn't hurt to get some confirmation from somebody with experience at writing or supporting the development of file system filter drivers.

Am I heading in the right direction? Or, do I need to look at "hooking" the API functions that determine effective rights?


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice & voicemail
103 Autumn Hill Road 864 801 2774 fax
Greer, SC 29651

Do not send me unsolicited commercial email.
.

---

• Follow-Ups:
  • Re: Customizable security in NTFS? Needs to be extensible & dynamic
    • From: Alexander Grigoriev

• Prev by Date: how to make the relation between the function ID and resouce
• Next by Date: Re: Error calling method INetCfgClassSetup::Install after upgrading to VS 2005
• Previous by thread: how to make the relation between the function ID and resouce
• Next by thread: Re: Customizable security in NTFS? Needs to be extensible & dynamic
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: XP Repairing System. ... neglecting the fact that the 'so called' security ... then run internet from non-admin account. ... can then utilises the security features and ADS of NTFS to secure itself ... policy settings not available for FAT32, ... (uk.comp.homebuilt) Re: Setting Security/Permissions on a Folder?? ... I am confused by sharing permissions and security ... > whether access is with local login or over the network. ... If you know that the NTFS level ... > NTFS allows to the accessing account. ... (microsoft.public.windowsxp.security_admin) Re: Q.) NTFS rights - How to Append NTFS assignments ... The Share is setup to Everyone with Full access and the NTFS ... security restricts the permissions to only those authorized. ... via NTFS from the parent folder being requested to change - however I ... permissions on subfolders, set up different *shares* for your departments.. ... (microsoft.public.windows.server.sbs) Re: permissions anomaly in XP noted by W2K user ... John, ... If one used NTFS as the filesystem then it does have the ... mapped to the Guest account. ... > successful if only I could provide some sort of security on the folders he ... (microsoft.public.windowsxp.security_admin) Re: avoid NTFS or ... ... I have never met a true "Tech" who preferred FAT as a file system over NTFS ... for "security reasons". ... (microsoft.public.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)