In the place where I work we have sensitive data on our computers that need to stay there but we regularly update our data so we need a way to disallow copying to a flash drive but allow copying from the flash drive to the computer. Currently we're doing that with the windows registry key StorageDevicePolicies-->writeprotect(1) but since anyone with some computer knowledge can undo this it's not secure enough. I searched but couldn't find anything online so I decided to develop it myself. The problem is I don't have any experience working with hardware I mostly develop database applications in c sharp. So I would appreciate a solution in c sharp but anything that can help is highly appreciated.
If they have admin rights, then any C# program you write can be shutoff just as easily as they can change the registry key. The real solution is to modify user rights, and possibly remove flash drive capabilities and use network shares instead when data needs to be copied to machines.
If anything, I might just make a service with an unassuming name that polls the registry key periodically to see if it's been flipped, and if it has then notify IT staff, who would then commandeer the computer, flash drive, and event logs(showing the registry key was changed by that user), and then refer them and the logs to management. This assumes employees have been thoroughly and frequently warned that copying data off machines is strictly against the rules. Sometimes it is not clear to a user when an IT road block is just poorly managed IT, or a company policy.
Alternatively, you could make the service force the bit back if it is changed, but then trial and error will allow a user with admin rights to discover which service needs to be shut down to prevent this.
I doubt you have network access because you are using flash drives to copy data. But even if you don't have a network you can still use this method (but administrators can still get around it).
Group policy has the exact setting you are looking for. Just open the Group Policy Snap-in, then under either Computer Configuration or User Configuration (if you want it applied on a computer basis or a user basis respectively (if you want it on one computer but only applied to some users you need set up loopback processing) then go to \Administrative Templates\System\Removable Storage Access\
In that folder you can enable the following settings:
CD and DVD: Deny write access
Custom Classes: Deny write access
Floppy Drives: Deny write access
Removable Disks: Deny Write access
Tape Drives: Deny write access
WPD Devices: Deny write access
If you are on a domain you can make it so even if the user is a local administrator to the computer they cant disable the setting unless they are a domain administrator too. If you are not on a domain, any user who is a Adminstrator can disable it.
Related
I am attempting to connect to my Google Drive using C# and the Google Drive API and then map that as a network or local drive. There are other programs I know that do this like NetDrive (which is extremely useful and robust), but I am looking to create something on my own. I have created a project in the developer console and have been able to connect to Drive using my application and do various read and upload operations, so I know that particular portion is ok. Access and permissions all seem to be set. I just have no idea where to start when it comes to mapping that storage as a usable drive in Windows. Any advice would be most helpful, thank you very much!
There are two basic components for implementing a NetDrive/WebDrive type of solution. What you are looking at is the creation of an Installable File System and Network Provider.
The Network Provider, or NP, is the user mode component that handles the Network layers, including the mapping and unmapping of the drive letter, along with lots of other fairly complicated UNC/Network stuff. To get an idea of what you are in for, check out the Win32 WNET*() API; you will need to implement all of the WNet() calls specifically for your IFS and 'network'.
When you are done, you'll probably have the ability to to do a "net use \MyWebDrive\" in DOS and Map Network Drive in Windows Explorer. You might also be able to use Windows Explorer to enum the contents of the remote file system.
However, now you need to make sure that all third party applications can access your network drive...to do that, you want to implement the Win32 File System API, such as CreateFile, Read(), Write(), CloseHandle(), FindFirst(), etc.
To do this, you can write an Installable File System Driver, FSD, to handle all I/O calls from User mode applications wanting to read/write to the files on that mapped network drive. This will most likely be a Kernel Mode application...a signed/certified file system device driver....probably written in old-school C and maybe even utilizing TDI depending on how you want to do your network IO.
Microsoft is becoming much more strict about installing 3rd party kernel mode drivers and network providers. The WebDrive file system driver is now securely signed using a Microsoft based TLS certificate and our Network Provider has been registered with the Microsoft Windows SDK team as a legitimate Network Provider for the Windows platform.
Once you get these pieces in place, you'll then want to think about Caching. Direct I/O through your NP/FSD over the wire to Google is not practical, so you'll need an intermediate caching system on your local drive. There are lots of ways to do that, too many to go into here. However, just keep in mind that you may have multiple user mode applications reading and writing to your network drive simultaneously (or one app like WinWord which opens multiple file handles), and you'll need to be able to handle all those requests with proper locking and ACLs, and then map those changes and access rules to the remote server.
Don't lose faith...what you are looking to do is possible as WebDrive and NetDrive have shown, but it's not really a project that can be knocked out in a few weekends. I'm not sure about the author of NetDrive, but we've been developing WebDrive full time since 1997. It seems that every Windows Patch changes something and every new version of Adobe/Office/XYZ does something quirky with IO calls that makes us pull our hair out.
Note: There's also another way to implement this beast which may get around the FSD, it's the DropBox strategy. Using a temporary folder on your local hard drive, leverage Directory Change Notifications in a User Mode application to monitor file changes in the folder and dynamically synchronize the changes to the remote end. GoogleDrive and a lot of the other online storage companies do it this way because it's quick-&-easy; however, if many changes occur in a short period, a Change Notification could get lost in Windows Messaging and data might get trashed.
I realize this is a lot to digest, but it's doable...it's cool stuff; good luck!
I suggest that before you start coding, you take time to thoroughly understand Google Drive and map its capabilities to/from Windows. Some sample points of impedance:-
folders in Drive aren't folders at all
A file in Drive = the metadata, content is optional
Drive has a lot of metadata that doesn't map to NTFS (eg. properties)
Will applicable files be converted to Google Docs, or stored as is
How will you map revisions
Permissions
There are almost certainly more, this is just off the top of my head. Your app needs to make decisions regarding all of these aspects. Generally, Drive offers more capabilities than NTFS, so provided you are simply using it as a backup repository, you should be OK.
I have a kind of odd request- I have lots of users who run my application, and I need to be able to have the app know who is running it. This isn't a problem at all, and I am capturing this info just fine.
The trick is the application needs to access a network share that is restricted- none of the users running the app have permission to do anything there. And there's a lot of stuff going on there- reading files, writing, and since this is a WPF app, data binding to file URI's in that restricted area. To set ImageSource of an Image for example. In all different parts of the application, I need unrestricted access to that data.
I have been looking into the WindowsIdentity.Impersonation stuff, but it seems to be more targeted towards impersonating a user in a small context scope and then ending impersonation.. which is okay, but not convenient.
Is there a way to have my app start and then Impersonate a user within the app scope? So then I could do all the work with the correct permissions sets.
One approach that might work is to set up a Windows service on the users machine that can connect to the server with appropriate Active Directory account privileges. Your application would communicate with that Windows service rather than to the server directly. While this might literally do what you want, the implementation may be more involved than you care to mess with.
I have a simple C# app (it is WPF), and I am polling a network location for any new *.pdf. The app runs elevated.
The network location has been mapped to the local PC as P:\ so it is quite simple to just monitor P:\ by just doing a Directory.GetFiles("p:\", "*.pdf"). This technique works great.
However, the other day I ran into an exception: "Could not find part of the path 'P:\'" (DirectoryNotFoundException).
I noticed the drive was mapped to the PC, but when the IT guy clicked on the drive in windows explorer, it required a login and password. We were then able to view the P:\ in explorer, but my app still could not access the p:.
I had the IT guy remove the login/password and then it worked (but it could have been due to a restart too, I am not sure).
What is confusing me is that I am not aware of any moment where they 'enabled' password protection for the mapped location, so I am not sure when, why, or how it stopped working. I didn't even know it was password protected.
That leads to my very simple yes/no question: If a mapped drive is password protected in windows explorer, and a user types in the login/password so that they can get to it in explorer, is that enough such that my app does not need to login with user/pass information?
If the answer is no, then I will google the proper technique for accessing p:\ using a user/pass. But any explanation about my problem is surely appreciated.
Thanks
The reason it ask for password as the current used logon into windows do not have access to that network path, so did the program run with your logon.
What you need to do is get IT guys give the account which run your App the permission to access directly so that the password protection will be transparent for you
In c#, on a windows 7 machine, how can I programmatically access every file on the file system as though I was a "Master Administrator".
The main priority here, is that after my c# program is installed, that it won't run into any file/folder access permission problems. My program runs as a windows service, and it must allow a user to backup any files on the file system.
I would have thought that it would work if you just make sure that the service runs under an account in the Backup Operator group. I thought that group had access to all files no matter what permissions there are.
Quote from MS Support page:
SID: S-1-5-32-551
Name: Backup Operators
Description: A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.
Though that page is for earlier versions of Windows so I'm not 100% certain that it's not been changed.
There is the Win32 backup API which is most likely what you want, maybe in combination with the Volume Shadow Service. And your application has to have the SeBackupPrivilege privilege. Note, though, that files encrypted with EFS can be read, but only in their encrypted form.
Links which may also be interesting for you:
http://mutable.net/blog/archive/2006/11/21/an-intelligent-backup-system-for-windows-part-3.aspx
http://msdn.microsoft.com/en-us/library/aa362520(v=VS.85).aspx
You will have to configure the service to run under an account with sufficient privileges.
AFAIK the standard 'Local System' already has rather high privileges. But no matter what, you won't be able to access files that are reserved to the System account, or files that are in use exclusively. Your program will always have to be able to handle Access related exceptions.
I was asked to find a way to monitor changes (modification, renaming, deletion, moving) of files in specific folders on the company's shared file server (simple windows shared directory). I wrote a simple app in C# that uses FileSystemWatcher to monitor these changes and notify a particular email address of them.
What I'd like to know now is how to find out the name/IP of the user/computer who made these changes. Any ideas?
As an alternative to writing my own software, are there any good (possibly free) software that supports this functionality?
Use auditing - it's on the security tab when you get the properties of file/folder. You specify which users you want audited for what kind of access. You also have to turn on auditing using the security policy mmc snap-in. The audits will end up in the security log.
Detailed instructions from MS: http://support.microsoft.com/kb/310399
If you want, your C# app could then pick the events out of the security event log.