Create file that can be opened only by a Windows Service

Question

Is it possible to select such a security descriptor using a DACL string such that the file can only be opened by a Windows Service, but not by an ordinary process, even if the process is run by the local Administrator account?

To clarify, I just need to make it reasonably hard for a non-technical user to open it in NotePad and tamper with it. It doesn't need to work against a programmer willing to dedicate a month of his life to reverse engineering and cracking it.

I prefer to achieve this using DACL instead of locking the file because then my windows service doesn't need to run all the time for the file to be protected.

Uhm, user can easily create a Windows Service to overcome that protection? — Etherealone, Feb 01 '13 at 14:08
If the user has administrative privileges they can get around file permissions. — Luke, Feb 01 '13 at 14:35

score 3 · Accepted Answer · answered Feb 01 '13 at 14:38

Local administrator account = God (at least on the box). There's no way to do this.

You can define a special privileged account for your service to run under, and make the ACLs on the protected file only allow access by that user (and all machine admins). You can disallow interactive login using that service account.

If your primary concern is tampering by interactive users, you may need a policy whereby the local user does not run by default with local admin rights. Unfortunately you cannot allow 'partial' local admin rights - it's all or nothing.

score 1 · Answer 2 · answered Feb 01 '13 at 14:29

I don't know enough about DACLs to say whether or how you can accomplish what you want with those. I can think of a couple things you can do to make it harder for someone to tamper with the file, in addition to restricting it to the local administrator account:

Have your service start automatically, and open the file immediately with no sharing options. As long as your service has it open, another process won't be able to open it.
Compute a hash of the file contents plus a salt hardcoded into your service and store it somewhere else, e.g., in another file, in the registry, or even online. Next time you open the file, verify the hash, which will tell you if someone tampered with the file since the last time you opened it.

These are not foolproof by any stretch, but it sounds like your goal is simply to make it harder. There's no foolproof method to stop a user with administrator privileges.

Create file that can be opened only by a Windows Service

2 Answers2