Re: Restricting access to an exe



I don't think you have clearly explained the problem, in particular what you are saying about using Detours. Nevertheless, what you are talking about is an administration issue and not a programming issue. When you install the application you can set NTFS permissions on the file to only allow users to read and execute.

If you are talking about hooking your application in memory, that isn't really something you can easily control on your executable and is better left as an administration task.


Mark Burnett
http://xato.net


"Samuel Ray" <samuel@xxxxxxxxxxxxxxxxxxxx change_roadrunner_to_rr> wrote in message news:%23RgN2G2WHHA.3652@xxxxxxxxxxxxxxxxxxxxxxx
I cannot do that. We cannot assume that the customer will do that. The customer is depending on us to ensure that the application is protected. I need to audit in the manner that Microsoft Baseline Security Analyzer audits. We need to ensure that management is aware of potential abuse. Initially I will just require that the permissions have already been set manually in the manner you describe, but eventually I will automate the setting of permissions.

I realize that I need to allow for exceptions but I will attempt to do that in a way that ensures that exceptions are appropriate.


"lelteto" <lelteto@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:23B09119-D125-4AB7-A78B-7EDC3683A74D@xxxxxxxxxxxxxxxx
I think it's much easier (after deployment) to just manually set the
permissions on the executable file. In Windows Explorer right-click on the
.exe file, select Properties, then click on the Security Tab.
(I hope you are using NTFS partitions, not FAT32)

Laszlo Elteto
SafeNet, Inc.

"Samuel Ray" wrote:

I need to ensure that access to an exe allows execution by most employees
but does not allow modification by anyone except users such as
administrators that should be allowed to modify it.

I am nearly certain that is possible but I want to ensure I understand. I am
confident I can figure out how to do it. It has been a while since I worked
with security stuff, but I am familiar with the OpenProcessToken and
GetTokenInformation and related functions. I think I have already done most
or all of what I need done using WMI, so I have those two options I think.

I just want to ensure I understand that what I intend to do can be done and
will accomplish what I intend it to.

To explain the context, I have developed a DLL that uses Detours to detour
some APIs of a third-party application. In my test system, I have no problem
modifying the exe to use the Detours DLL, eventhough I don't have
Administrator priviliges. I assume that in a production environment, we can
prevent regular users from modifying the exe but allow them execution.

Actually, I will be very surprised if such a thing is not normal.






.



Relevant Pages

  • Re: Restricting access to an exe
    ... I also have a question about Detours as you say here; ... clear that I don't consider Administrator privileges to be a problem. ... understand security. ... permissions on the file to only allow users to read and execute. ...
    (microsoft.public.platformsdk.security)
  • Re: Restricting access to an exe
    ... I also have a question about Detours as you say here; ... clear that I don't consider Administrator privileges to be a problem. ... understand security. ... permissions on the file to only allow users to read and execute. ...
    (microsoft.public.platformsdk.security)
  • Re: Assigning members to Security Global Groups
    ... On the OU that the groups and users exist, you can delegate these permissions to a junior admin to do a variety of tasks, without them having additional permissions elsewhere in the domain. ... Best Practices for Delegating Active Directory Administration ...Dec 5, ... Administrative responsibilities for delegating Active Directory management are divided between: Service owners, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Restricting access to an exe
    ... My comment was that Detours can be used by ... clear that I don't consider Administrator privileges to be a problem. ... understand security. ... permissions on the file to only allow users to read and execute. ...
    (microsoft.public.platformsdk.security)
  • Re: Cannot connect to Central Administration
    ... I've checked the Permissions on the folder but the user has full access to ... that folder, and the only Auth Method enabled ... However I cannot connect to the Central Administration site. ...
    (microsoft.public.sharepoint.windowsservices)