Welcome to Vista Banter. You are currently viewing our boards as a guest which gives you limited access to view most discussions, articles and access our other FREE features. By joining our free community you will have access to ask questions and reply to others posts, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact support. |
|
Security and Windows Vista A forum for discussion on security issues with Windows Vista. (microsoft.public.windows.vista.security) |
|
LinkBack | Thread Tools | Display Modes |
|
|||
Volume ACL on Vista.
Hi,
I wrote a small program using QueryDosDevice(...) API to get the volume name associated to an unit name (A:, B:, C: etc.). I, then, use CreateFile(...) and SetSecurityInfo(...) to modifie the DACL of the volume, so that I can allow or deny users or groups to acces to the Unit. This is done dynamicaly by a service detecting the unit arrival. To be clear, the same thing can be done with : SetNamedSecurityInfo ("\\\\.\\A:", SE_FILE_OBJECT, DACL_SECURITY_INFORMATION|PROTECTED_DACL_SECURITY_ INFORMATION, NULL, NULL, paclNew, NULL); "\\.\A:" allow to open a volume and not the root of the unit as documented in API CreateFile(...). This works well on XP. On Vista it's different. The DACL on volume still works for CDROM and Floppy, but it's no longer working for disk (removal or not). On disks the DACL on volume just allow/deny the format.exe or checkdisk;exe commands. When i have a look to Microsoft documentation Removable storage device and Windows Vista support" (http://www.microsoft.com/whdc/device...storperms.mspx) the "File System Stack" being onthe top of "Volume Manager stack", ACL on Volume should lock users access. The tool "Device tree V2.19" from OSR company (http://www.osronline.com/) show the file system driver on the top of the volume driver. Sure i miss something. Anybody an explain what ? and how I can progamaticaly , on Vista give ACL right to volumes. I saw that GPO allows to put default ACLs on drivers class, is it the way ? Thanks in advance. JP |
|
|||
Volume ACL on Vista.
"Jean-Paul Blanc" wrote in message ... Hi, I wrote a small program using QueryDosDevice(...) API to get the volume name associated to an unit name (A:, B:, C: etc.). I, then, use CreateFile(...) and SetSecurityInfo(...) to modifie the DACL of the volume, so that I can allow or deny users or groups to acces to the Unit. This is done dynamicaly by a service detecting the unit arrival. To be clear, the same thing can be done with : SetNamedSecurityInfo ("\\\\.\\A:", SE_FILE_OBJECT, DACL_SECURITY_INFORMATION|PROTECTED_DACL_SECURITY_ INFORMATION, NULL, NULL, paclNew, NULL); "\\.\A:" allow to open a volume and not the root of the unit as documented in API CreateFile(...). This works well on XP. On Vista it's different. The DACL on volume still works for CDROM and Floppy, but it's no longer working for disk (removal or not). On disks the DACL on volume just allow/deny the format.exe or checkdisk;exe commands. When i have a look to Microsoft documentation Removable storage device and Windows Vista support" (http://www.microsoft.com/whdc/device...storperms.mspx) the "File System Stack" being onthe top of "Volume Manager stack", ACL on Volume should lock users access. The tool "Device tree V2.19" from OSR company (http://www.osronline.com/) show the file system driver on the top of the volume driver. Sure i miss something. Anybody an explain what ? and how I can progamaticaly , on Vista give ACL right to volumes. I saw that GPO allows to put default ACLs on drivers class, is it the way ? Thanks in advance. JP Hi, Jean-Paul Blanc A few things have changed in Windows Vista from how they worked with Windows XP. The articles at the links listed below are a must read and will no doubt answer your question. The fundamental structure of access control lists (ACLs) has not changed much for Windows Vista, but there are a number of small yet *important* changes you need to be aware of. http://technet.microsoft.com/en-us/m...07.06.acl.aspx Of course Windows it pro dot com has very good articles that you $hould find very useful. http://windowsitpro.com/article/arti...ay.htmlTechNet IT Professional Community is also a good source IT information. http://technet.microsoft.com/en-us/m...bb291006.aspxH Brown |
|
|||
Volume ACL on Vista.
"H Brown" wrote in message ... "Jean-Paul Blanc" wrote in message ... Hi, I wrote a small program using QueryDosDevice(...) API to get the volume name associated to an unit name (A:, B:, C: etc.). I, then, use CreateFile(...) and SetSecurityInfo(...) to modifie the DACL of the volume, so that I can allow or deny users or groups to acces to the Unit. This is done dynamicaly by a service detecting the unit arrival. To be clear, the same thing can be done with : SetNamedSecurityInfo ("\\\\.\\A:", SE_FILE_OBJECT, DACL_SECURITY_INFORMATION|PROTECTED_DACL_SECURITY_ INFORMATION, NULL, NULL, paclNew, NULL); "\\.\A:" allow to open a volume and not the root of the unit as documented in API CreateFile(...). This works well on XP. On Vista it's different. The DACL on volume still works for CDROM and Floppy, but it's no longer working for disk (removal or not). On disks the DACL on volume just allow/deny the format.exe or checkdisk;exe commands. When i have a look to Microsoft documentation Removable storage device and Windows Vista support" (http://www.microsoft.com/whdc/device...storperms.mspx) the "File System Stack" being onthe top of "Volume Manager stack", ACL on Volume should lock users access. The tool "Device tree V2.19" from OSR company (http://www.osronline.com/) show the file system driver on the top of the volume driver. Sure i miss something. Anybody an explain what ? and how I can progamaticaly , on Vista give ACL right to volumes. I saw that GPO allows to put default ACLs on drivers class, is it the way ? Thanks in advance. JP Hi, Jean-Paul Blanc A few things have changed in Windows Vista from how they worked with Windows XP. The articles at the links listed below are a must read and will no doubt answer your question. The fundamental structure of access control lists (ACLs) has not changed much for Windows Vista, but there are a number of small yet *important* changes you need to be aware of. http://technet.microsoft.com/en-us/m...07.06.acl.aspx Of course Windows it pro dot com has very good articles that you $hould find very useful. http://windowsitpro.com/article/arti...ay.htmlTechNet IT Professional Community is also a good source IT information. http://technet.microsoft.com/en-us/m...bb291006.aspxH Brown Sorry, correction to last line should read TechNet IT Professional Community is also a good source IT information. http://technet.microsoft.com/en-us/m.../bb291006.aspx H Brown |
|
|||
Volume ACL on Vista.
|
|
|||
Volume ACL on Vista.
|
|
|||
Volume ACL on Vista.
bts145 wrote:
Kindly upload the source code Apple or tomato 'source' ? MowGreen ================ *-343-* FDNY Never Forgotten ================ banthecheck.com "Security updates should *never* have *non-security content* prechecked |
|
|||
Volume ACL on Vista.
bts145 wrote:
Kindly upload the source code Apple or tomato 'source' ? MowGreen ================ *-343-* FDNY Never Forgotten ================ banthecheck.com "Security updates should *never* have *non-security content* prechecked |