使用 C# 阻止访问目录

发布于 2024-08-23 08:44:58 字数 160 浏览 4 评论 0原文

我正在尝试创建一个类似于文件夹锁定的程序,它可以阻止用户访问特定文件夹。我尝试使用 DirectorySecurity 类和 AccessRules 更改文件夹的访问控制。

但是,通过转到“安全选项卡”并更改权限,可以轻松更改我分配的设置。

有没有安全的方法来阻止访问目录?

I am trying to create a program similar to Folder Lock which prevents users from accessing a particular folder. I tried using DirectorySecurity class and AccessRules to change the AccessControl for folders.

However, the settings which i assign can easily be changed by going to "Security Tab" and changing the permissions.

Is there any secure way of preventing access to directories ?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

筱武穆 2024-08-30 08:44:58

我认为 我对此问题的回答:“如何阻止使用 Windows 服务创建文件夹?" 可能是您需要执行的操作才能实现您想要的效果:

不幸的是我不知道在哪里
关于如何帮助您已经足够了,
但我相当确定你需要
写入或获取文件
系统过滤驱动程序
可以
与您的 Windows 服务通信
告诉它有人已经尝试过
创建一个目录/文件以便
您的服务可以做出决定
它。这样当某人/某事
尝试创建文件或文件夹
这是不允许的,他们可能是
返回“访问被拒绝”或其他
您选择的 Win32 错误。

如果您确实使用了
一个司机,我想这仍然是最好的
做决定是否的繁重工作
中的创建/修改
服务,即内核模式之外。

I think my answer to this question: "How could I prevent a folder from being created using a windows service?" is probably what you'd need to do to achieve what you want:

Unfortunately I don't know anywhere
near enough about the how to help you,
but I'm fairly sure that you'll need
to either write or obtain a File
System Filter Driver
that can
communicate with your windows service
to tell it that someone has attempted
to create a directory/file so that
your service can make a decision for
it. This way when someone/something
attempts to create a file or folder
that's not allowed they could be
returned "Access Denied" or another
Win32 error of your choice.

If you did go down the route of using
a driver, I'd guess it'd still be best
to do the heavy lifting of deciding if
the creation/modification in the
service, i.e. outside of Kernel mode.

丢了幸福的猪 2024-08-30 08:44:58

只要用户是目录或文件的所有者,他就可以更改权限。您必须更改目录的所有权才能真正保护目录的安全(并且进行所有权更改需要管理权限)。
但具有管理员权限的用户始终可以收回所有权。

如果您在企业中并且人们不是其计算机的管理员,您可以编写一个以域管理员身份运行的 Windows 服务并进行所需的更改。在家庭环境中,没有办法。

As long as a user is the owner of directories or files, he can change the permissions. You'd have to change the ownership of the directories in order to really secure the directories (and making this change of ownership requires administrative rights).
But a user with administrator right can always take the ownership back.

If you are in an enterprise and people are not admins of their machines, you could write a Windows service that runs as domain admin and makes the needed changes. In a home environment, there's no way.

缪败 2024-08-30 08:44:58

有两件事可以推翻本地管理员的权利。

  • 域策略(但您的电脑必须是域的成员)
  • 在系统权限下运行的进程(例如驱动程序),这就是病毒扫描程序和 rootkit 的工作方式,它们在结果到达用户之前分析您的文件系统请求,并在必要时拦截它。

但第二个选项无法使用 c# 来完成,第一个选项更多的是 Active Directory 配置解决方案。

There are 2 things which can overrule the rights of a local administrator.

  • The domain policy (but your pc has to be a member of a domain)
  • A process running under SYSTEM privileges (drivers for example), this is the way virus scanners and rootkits work, they analyse your file system request before the results reached the user, and intercept it if deemed necessary.

But the second option you can't do with c#, and the first option is more a Active Directory configuration solution.

脱离于你 2024-08-30 08:44:58

不,您无法阻止计算机管理员帐户访问任何文件夹或取得任何文件夹的所有权。

您可以阻止受限帐户(如您所描述的),但管理员始终能够更改安全设置。

No, you can't prevent the computers administrator account from accessing or taking ownership of any folder.

You can prevent restricted accounts (as you have described), but the administrator will always be able to change the security settings.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文