4

I'm running a sandboxed application as a local user. I now want to deny almost all file system permissions for this user to secure the system, except for a few working folders and some system DLLs (I'll call this set of files & directories X below).

The sandbox user is not in any group. So it shouldn't have any permissions, right? Wrong, because all "Authenticated Users" are a member of the local "Users" group, and that group has access to almost everything.

  • I thought about recursively adding deny ACL-entries to all files and directories and remove them manually from X. But this seems excessive.

  • I also thought about removing "Authenticated Users" from the "Users" group. But I'm afraid of unintended side-effects. It's likely that other things rely on this. Is this correct?

Are there better ways to do this? How would you limit the filesystem permissions of a (very) non-trustworthy account?

Simon
  • 151

5 Answers5

4

A couple things to keep in mind:

Disable bypass traverse checking for that user.

Explicit allows take precedence over inherited denies.

I would not recommend altering the Authenticated Users or Users security groups.

Ryan Ries
  • 56,311
4

Give a deny to that user at the root of the drive for exerything except "Traverse Folder" and then grant an explicit allow where you want them to be able to read. Generally speaking, removing Authenticated Users from Users isn't a good idea.

MDMarra
  • 101,323
3

I don't think this is the right way to approach this.

What you should really do is set ACLs on confidential data you have (eg. if users have home folders on this computer, you should change its ACL so that only that user and administrators are granted any access at all on it).

Falcon Momot
  • 25,584
1

In the end I went with the "excessive" solution:

icacls c:\* /T /C /deny MyComputer\SandboxUser:(OI)(CI)F

This adds deny entries to all files and directories. Then I used Process Monitor to see what permissions I have to change manually to let the application run.

Simon
  • 151
0

Remember that even a very non-trustworthy user that you want to be able to log in to your system will need read access to certain system files. What's your concern here? If you're worried about a user being able to delete system files and the like, then a standard user account will probably give the security you need. Make them a member of the Guests group if you're really concerned.

If you're really, really concerned then perhaps consider applying a more restrictive security template to the system (or use the Security Configuration Wizard if you're talking Windows 7/2008 or later), but be aware that this can break things for other users.

Chris McKeown
  • 7,198