Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Folder with WRITE permission for a Windows Service and only READ permission for other apps

Tags:

c#

.net

windows-services

appdata

I want to write some files from a Windows Service, and be able to read them from other apps. But I don't want other apps to be able to write to this folder.

Is there a standard folder for that (like there is App Data for storing data which does not have to be read from other apps)?

like image 244
ispiro Avatar asked Feb 06 '18 11:02

ispiro

1 Answers

It is important to consider that Windows sets permissions to read and write files based on the user (or group he is member of) and the ACL entries in the file system. So "preventing other apps to write to this folder" is really "other apps which are started under a normal user".

You could place the service in a directory under

C:\Program Files,

e.g.

C:\Program Files\CompanyName\ServiceInstallDir

If the service runs under the local SYSTEM account, it has the permission to write to this folder. And normal users have only read access.

But be aware that this is not bullet-proof and you never know if someone with admin rights changes the permissions on your folder after the install.

I would only do it this way if I had control over the system and the other apps (e.g. in a corporate infrastructure with Active Directory and all machines in a domain).

Be also aware that "other apps" could also be Windows services running under SYSTEM or another user with local admin rights, so they would also be able to write to your folder.

Another solution would be to run the service under a dedicated user account (either local or Active Directory), and set the permission of your folder so that only this user has modify rights.

Please note that you have to give this user account the privilege "Log on as service" (via Local Security Policy or AD GPO).

But even in this case: if some other (admin) user has Restore Privileges, he could circumvent the ACL.

Another important note:

Running the service under SYSTEM means that this service is highly privileged, which may be a security risk.

Important note from eryksun (see comments) Thank you !

See also https://blogs.technet.microsoft.com/voy/2007/03/22/per-service-sid/

So you can prevent other services to write to your files.

like image 143
Rainer Schaack Avatar answered Oct 05 '22 10:10

Rainer Schaack
Sign in to Comment

Related questions

ASP .NET Core IIS Hosting user identity name is empty and IsAuthenticated=false
How to target netcoreapp2.0 and net461 in the same project
The asynchronous method starts AsyncCallback in the current thread (main thread)
Performance improvement of Xamarin forms application
Take screenshot in process window
Unity 3D Async polling external hardware in Unity
Setting Frame.BackgroundColor loses rounded corner on Xamarin forms
How can I get OmniSharp VSCode intellisense to work with WSL-compiled code?
TypeLoadException on Attribute in shared assembly
Implementing history tracking in SaveChanges override
ASP.NET Identity Token Methods accepts all HTTP methods
Frame-by-frame MJPEG streaming with C#/ASP.NET MVC
Diagnostics.Process doesn't open PDF file using adobe reader
Calling C++ Code with a struct from C#
Table per Type in Entity Framework Core 2.0
Selenium C# DefaultWait IgnoreExceptionTypes does not work
What is the tag helper equivalent of Html.EditorFor
editorconfig - cannot get naming conventions to work
C# functional programming: how to treat IO in CRUD?
how to build URL in .net core if there is no HttpContext or ActionContext

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!