|
There's no way to do that. Since the application runs in the security context of the suer that launched it, it needs Read permission to, obviously, read the data file. Read permission is the only one a user needs to copy a file to another location. There's no way to prevent it.
Dave Kreskowiak
Microsoft MVP - Visual Basic
|
|
|
|
|
that is what i thought and was afraid of...
but maybe there's some third party solution - somekind of lock folder utility that cab accessd through command line (with parameters) that my application will be able to unlock but user won't be able to.
thanks anyhow.
Alon
|
|
|
|
|
That won't work either, because all the user then has to do is launch your application (or run the utility to unlock it), switch back to the Desktop and copy the file.
Dave Kreskowiak
Microsoft MVP - Visual Basic
|
|
|
|
|
how would he do that? he won't have the password.
Alon
|
|
|
|
|
What password?? You can't protect a single file or folder with a password. NTFS doesn't support it.
Dave Kreskowiak
Microsoft MVP - Visual Basic
|
|
|
|
|
Security is based on user accounts, not applications. If you remove the read priv from the file, no app you run can read it, including the one app that needs to read it.
|
|
|
|
|
Like stated in the previous posts, there is no way to prevent the user from making a copy of the file if the app runs with the user's context. You could, however, encrypt the data-file. Depending on the encryption technique, there is a possibility of your application working significantly slower than before.
Additionally, the decryption routine AND the decryption key kave to be somewhere in your application (which is stored on the users computer). Thus, it is possible (though maybe not feasible) for the user to obtain these (by disassembly).
I believe what you NEED is a good licence agreement (ask a lawyer). This will not enable you to entirely prevent spread within one company, but will give you additional legal leverage if you discover that your data files have been sold to others (e.g. competitors).
Cheers,
Sebastian
--
Contra vim mortem non est medicamen in hortem.
|
|
|
|
|
If this is an intranet only app, make it client server with the full dataset only stored serverside.
--
Rules of thumb should not be taken for the whole hand.
|
|
|
|
|
first of all - thank you all for replying me.
let me be more specific -
I know that the regular OS capabilities do not let me do that, what i'm looking for is some thiord party solution like "Cryptainer PE" or "Lock Folder XP" that will give me a command line option to access the encrypted files but won't really put them out to a shared/visible folder.
BTW, the 'place files on server' solution is obvious but not suited for me as I have a lot of files and each is very big.
BTW2, my application is working in my company and the users are my employees. It's not for a commercial use but for private use by the company.
I hope things are a bit more clear now.
Alon
|
|
|
|
|
OK, I got the solution - http://www.everstrike.com/shield.htm[^]
it gives the option to hide the files and also i can define a list of applications that can have an exception and will be able to see it.
Alon
|
|
|
|
|
based on a quick glance over, that appears to be a whitehat(?) rootkit. It may work now although using any such software will result in increased vulnerability to hidden malware as well, but MS has locked down win64 to prevent that sort of meddling, which means that there's a significant chance your app will cease to work following upgrades in several years.
--
Rules of thumb should not be taken for the whole hand.
|
|
|
|
|
what is "whitehat rootkit" (english is not mother tongue...)
and thanks for your concern but as I developed the application I have the ability to change it according to future use.
for now this solution is suitable for me, unless you have a better one.
Alon
|
|
|
|
|
A root kit is a program that modifies the behavior of the operating system by injecting itself into the kernels execution path. These are often used by the more destructive malware programs to conceal themselves from adware/trojan removal tools. The name comes from the fact that the originals were used to steal root passwords for unix systems.
Whitehat means a good guy, and dates back to old black and white cowboy movies. The villain in contrast would always wear a blackhat. In modern IT useage, blackhats are virus writers and system hackers, and whitehats are the people who try and prevent them.
Depending on your organizations IT policies you might need to get approval from them in order to deploy this sort of solution since it would also provide a way for hostile applications to hide in your systems. At a minimum you need to let them know about it so it's not mistaken for malware in a security audit.
--
Rules of thumb should not be taken for the whole hand.
|
|
|
|
|
Thank you very much for the detailed explanation.
I will consult my IT manager about the software.
Alon
|
|
|
|
|
Alon Ronen wrote: I need somehow to prevent copy/burn/whatever for the user but allow a read permission for my application.
I think you should physically remove the device that could copy your file to the other storage device such as USB, Floopy disk, CDRW...
|
|
|
|
|
Is there any difference in the privileges of the 'localsystem' account under XP,2000 and 2003 server?
We are launching a browser from an INTERACTIVE windows service (running under 'localsystem' account),and make it navigate to a url.
The url in turns redirects to another page.
This navigation/redirection is allowed in 2000 and XP ;but fails in 2003.
Is this a result of difference in network privileges for localsystem account?
|
|
|
|
|
The LocalSystem account doesn't have network priv's. It also has it's own copy of the default IE configuration, which you CAN NOT CHANGE! Since Windows 2003 locks down IE access from the server to the otuside world, it's essentially crippled. You CAN NOT make any changes to it's configuration since you can not login as the LocalSystem account and change its settings.
This should be done using other methods, not a browser control, and using an account setup specifically for your service without any interaction.
Dave Kreskowiak
Microsoft MVP - Visual Basic
|
|
|
|
|
Thanks a lot for the help Dave.
Since this same code works for 2000 and XP - are these restrictions only applicable to 2003?
Is it possible for you to send links to any relevant documentation on this - because there seems to a distinct lack of documentation in this area.
|
|
|
|
|
By default, on 2003 IE can't visit any web sites off the local machine. It's locked down very tightly. To find this out, all you have to do is logon locally to the servers console and launch IE yourself.
Dave Kreskowiak
Microsoft MVP - Visual Basic
|
|
|
|
|
Hi Dave,
What did you mean by 'logon locally to the servers console' ? Is there some way possible to logon to a console with the 'localsystem' account privileges - to simulate the bhaviour?
|
|
|
|
|
That means logon to the server at it's keyboard and mouse. As I already said, it's impossible to logon to the server using that account.
Dave Kreskowiak
Microsoft MVP - Visual Basic
|
|
|
|
|
Sorry for the misunderstanding Dave.
Is there some write-up(or search terms) on the 2003 restrictions that you mentioned related to IE settings?
I have searched a lot but do not find adequate documentation on the way 2003 'localsystem' locks IE up.
Unfortunately,i would require some write-up to back me up on this arguement.
It will be a great help - thanks again for your support.
|
|
|
|
|
I don't have anything on it. Your search can't find anything because you're focused on the LocalSystem account. Don't. Just search for the default locked down IE setup on 2003. At the very least, it's documented in the Windows Server 2003 Reosurce Kit.
Dave Kreskowiak
Microsoft MVP - Visual Basic
|
|
|
|
|
Iam doing one project in linux.In that project,I should restart the system using shell script.
I don't know Linux.please help me anyone.
|
|
|
|
|
this is very simple process. if u hav some knowledge of commands
simple process:
$vi myreboot.sh
write following in editor:
#!/bin/sh
reboot
now save file....
now run following commands:
$chmod +x myreboot.sh
$./myreboot.sh
.....thats it.
here "chmod" is used to change mods of file to be executed.
Lxcite's Planet
... the ultimate solution
|
|
|
|