Reputation: 33
C# create a file so that only the user who created the file can access it
I need to create a file that will be used to store confidential data; the goal is to end up with an ACL that restricts access to the domain\user running at the time of the create. But the default seems to also allow unrestricted access for SYSTEM and for Administrator.
Two questions: first, is there anything in Windows or .NET that breaks horribly if SYSTEM and Administrator are denied access to a file?
Second, from C# how do I actually obtain the desired permissions? I'm just doing a File.Create("myFile.dat") right now; clearly that version of the API isn't the one I should use. I found a very elaborate alternative, but it seems to assume that I know the current domain name and user name; is that actually the only way to do it?
Thanks!
Upvotes: 3
Views: 703
Answers (4)
Reputation: 3253
I suggest you check out Encrypted File System. It's built into XP Pro, Vista, and Windows 7. (As well as the server products.)
It allows you to do exactly what you're trying to do. Only the user you encrypt the file with (i.e., the credentials associated with your running application) will ever be able to access the file in question. Not even local admins can read the file, regardless of the file system permissions.
You can use System.IO.File.Encrypt / Decrypt to perform the operation. The best part is, the user can still just double click the file to open it. No password. No custom application needed.
Be aware the somebody with a recovery certificate (typically a domain admin) can still decrypt the file, but there is nothing you'll be able to do about that unless you create your own encryption mechanism and prompt the user for a password everytime the try and open it.
Upvotes: 1
Reputation: 3230
Why don't you use the symmetric encryption technique and save the key for every user in database or registry ?
Upvotes: 0
Reputation: 8206
As far as I know, Administrator can access anything, regardless of the protection you set on it. You could encrypt the file, and hard code the key in your app.
look at the forth overload for System.Io.File.Create. The fourth argument is an System.Security.AccessControl.FileSecurity object. That should do the trick.
Upvotes: 2
Reputation: 19609
As far as I know this is not possible.
Unless I am mistaking SYSTEM has access to everything, period. I'm pretty sure that is the point. Administrators are similar in capacity, they can't be very good administrators if they can't even access files that those with less permissions can (exceptions exist of course). But if SYSTEM was unable to access the file, how would any operations be accomplished on it?
Thinking about it logically, I would have to say "no, it is not possible." Though it is possible also, that I am incorrect.
Upvotes: 2
Related Questions
- How can I create a file that only my application can modify it?
- take ownership of a file c#
- Prevent other processes and users from accessing a file
- Change rights to a file to be readonly
- c# Access denied to create a new file
- Create File and unable users to delete it C#
- How to keep/protect a file from being modified?
- How can I create a file that can be accessed by any user?
- C# Permission to save file
- How do I lock access to a file when a user has it open?