Re: Disable File Deletion/Hiding Folders

David,

Anton Bassov has already said:
> Therefore, your task is just infeasible -it is impossible to protect
> access to your file in such
> way that Admin cannot find this or that workaround......

By saying "infeasible task" I meant "cannot be done by application
alone". Certainly, if you are allowed to load drivers you can hide
files - depending on your objectives, anything from FS filters to
hardcore "rootkit technology" is at your disposal. To be honest, I did
not mention all this stuff simply because it was obvious to me from the
very beginning that the OP is a newbie, so that it just does not make
sense to mention any advanced solutions - after all, writing a driver
that hides files is not the easiest thing one can imagine. After having
read his statement about the "solution" that he had found, I came to
the conclusion that my statement about "infeasible task" was absolutely
correct in this context - as far as the OP is concerned, the task is
really infeasible

Anton Bassov


David Jones wrote:
You just don't get it. Would it help if I said that what you are
trying to do is impossible? (You've already been told this, yet
you still insist, which is beyond my comprehension.)

Anton Bassov has already said:
> Therefore, your task is just infeasible -it is impossible to protect
> access to your file in such
> way that Admin cannot find this or that workaround......

You replied that you found software that partly worked, but actually
didn't. This doesn't prove Anton wrong, nor even suggest that he
might be wrong. If Anton is right, you shouldn't be surprised that
you could work around the "solution" provided by that other software.

Alexander Grigoriev replied with:
> What you're asking for is how to code the way you think you should
> solve your original problem, not about your original problem.
> Security through obscurity won't work. File/folder hiding won't
> work. State your original problem and the better solution may
> exist (or may not exist, it the objective is unreasonable).

You were told yet again that this isn't a feasible goal to work
towards, yet you insisted again.

There's a fundamental problem with trying to prevent Administrators
from doing something anyway -- they're *ADMINISTRATORS*, for crying
out loud! Administrators are similar to "root" in other file systems.
(Local System is a closer analog, but there's not a lot of difference
between the two AFAIK.) If you can't trust your administrators, you
have bigger problems to worry about.

Don't reinvent the wheel -- deny privileges in NTFS, run your app
in the context of a user that *does* have access, and just accept
the fact that Administrators can muck with the data. You CANNOT
stop them. They can install a driver. Hell, they could open the
volume and write to the disk directly if they wanted.

So, you were asked *why* you want to prevent people from viewing /
deleting these files, including Administrators. Since you are
doomed to fail by taking this approach, perhaps your root problem
would allow us to think of another solution.

Here's an example of what I mean by another solution:

My first thought was that you could install a service that opens
the file with exclusive access so that reads, writes, and deletes
all fail. Then, for your application to access the file, you ask
the service for the data. No hiding is involved! (Not that this
will actually work: MoveFileEx should still be able to delete it if
you have Administrator / Local System access, plus the Administrator
could just disable your service and reboot.) But, if this did work,
it would be a solution that isn't the same as your "solution".

Another solution: store the files on a network server and then
authenticate all the clients. Then, it wouldn't matter what your
local access rights are.

What is it about your data that makes it so sensitive not even
Administrators can look at it or delete it? What is the context
of you application and the data it contains? What problem are
you REALLY trying to solve?

David


tasleem wrote:
definately i m here to implement the solution that hides files or folders.

"Alexander Grigoriev" wrote:


Hiding file and folders, is it the actual _problem_ you're trying to solve,
or it's _solution_ you're trying to implement, for another (real) problem?


.

Relevant Pages

  • Re: New Organizational Unit for a new remote office.
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... EVERY DOMAIN ADMIN IN THE FOREST ...
    (microsoft.public.win2000.active_directory)
  • Re: Rid AD of Circular Group Membership
    ... I'll try to keep this going; because it might be useful to another admin ... The quess is each has an account and uses it, ... part of stations) into the machine local Administrators group. ... Administrators Group has a members: ...
    (microsoft.public.windows.group_policy)
  • Re: MMC - admin locked out too
    ... just use the Deny trick to exempt ... from an admin account before it can edit policy, ... > Limit access to Regedit, MMC, command line, etc. & ... > restrict such items to Administrators only. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: New Organizational Unit for a new remote office.
    ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... * This posting is provided "AS IS" with no warranties and confers no rights! ... EVERY DOMAIN ADMIN IN THE FOREST ...
    (microsoft.public.win2000.active_directory)
  • Re: Trouble with admin access after creating trust.
    ... This makes sense since on the dc's the administrators group is given full ... This posting is provided "AS IS" with no warranties, and confers no rights. ... Because I am part of this domain admin group, ... Situation still exists - on the 2000 domain, I log on with an account ...
    (microsoft.public.windows.server.active_directory)