How to limit folder/file access to a program only?

Question

Okay, so I am creating a c# winforms application.

I want to write/read from binary data file. But, I want to put that file in a folder somewhere and I do not want anyone to be able to delete or edit the file. I only want the program that uses the file to be able to access it.

Is this possible? I looked into MSDN's structure on file security and as I researched it I saw people complain that if you limit the file to a user then that person can just override the privileges and make it editable.

Also, I thought about how this would actually work considering in essence I would like a process to edit the file only and that process could have varying process ID's if it is opened and closed over time, seems tough.

Any thoughts?

Answer 1

Windows 10 version 1709 introduced Controlled Folder Access. This allows you to whitelist applications that can modify certain folders. You cannot restrict Read access.

Answer 2

well, I have the same issue and I did some research on this subject and I found that secure your information in a accesspoint database or any other Microsoft data base with password and only one specific app that have the password will have the permission to do read/write to these information.

Answer 3

Even though this will not satisfy all your requirements you can try IsolatedStorage (System.IO.IsolatedStorage Namespace).

How to write and read file in IsolatedStorage

The System.IO.IsolatedStorage namespace contains types that allow the creation and use of isolated stores. With these stores, you can read and write data that less trusted code cannot access and prevent the exposure of sensitive information that can be saved elsewhere on the file system. Data is stored in compartments that are isolated by the current user and by the assembly in which the code exists. Additionally, data can be isolated by domain. Roaming profiles can be used in conjunction with isolated storage so isolated stores will travel with the user's profile. The IsolatedStorageScope enumeration indicates different types of isolation. For more information about when to use isolated storage

Answer 4

You can prevent file access while your program is running if you open it exclusively.

However, when the program is not running, the file is no longer protected. So someone would just need to kill the program in order to access the file.

In order to protect the file while your program is not running, you'd need to set up a user account and assign it a password which is only known to the program. Then set the permissions of the file so that only your user can access the file.

However, any administrator can take over the ownership of the file, so even permission protection is useless.

Finally, someone can even take the hard disk out of the PC and read the raw data.

You might also think about whether you want to protect the file or the file content. If the file content is sensitive, think about encryption.

It really depends on your needs, which option to choose.

Answer 5

Run the app under a security group and assign persmissions to the folder and files with that security group. Revoke access for others and make it readonly

Answer 6

If you have control over the target filesystem prior to install then setup some file permissions and go from there. The user accessing the folder will need read permissions at minimum.