Is it possible to disallow taking ownership of a file?

Question

I'm curious if there's a way to prevent users (including the ones belonging to the admin group) from taking ownership of a file?

I originally create such file from my service that is running under Local System account. I then set that file's DACL to D:(A;OICI;GA;;;SY) to let only SYSTEM account to have full access, and set my service as an owner:

DWORD dwRes = ::SetNamedSecurityInfo(
    strDataFilePath,
    SE_FILE_OBJECT,
    OWNER_SECURITY_INFORMATION,  // change only the object's owner
    pMyServiceUserSid,           // User SID for my service
    NULL,
    NULL,
    NULL);

But after all that is done I can still take ownership of this file via Windows Explorer as an administrator:

Surely you can't stop an administrator from taking ownership else you could get into an unrecoverable state? — Phil Williams, Feb 13 '16 at 11:24
Administrators can inject arbitrary code into arbitrary processes. I'm sure you see how that makes anything you could try pointless. — Voo, Feb 13 '16 at 11:26
I have an idea but it's perfect. Build a process that puts a file listener on your partition ( C:\ etc....), afterwards initiate a class inside the process that has a list of all the relevant files you wish to prevent from taking ownership. When someone will try to do something, the process will take ownership right before the user does. This will prevent the user from doing anything to the file since the process just took ownership. — OhadM, Feb 13 '16 at 11:28
@OhadM - an administrator can simply terminate such a process. — Peter, Feb 13 '16 at 12:39
@Peter Unless you provide kernel permissions to this process and you won't be able to close it. — OhadM, Feb 13 '16 at 15:20
If users have physical access to the machine, they could simply boot into a live Linux system, and completely circumvent NTFS rights management. You can protect against accidental file modifications, but you cannot easily thwart off deliberate attacks. — IInspectable, Feb 13 '16 at 16:40
Now you're just reaching, OhadM. Yes, there are ways to make it more difficult to terminate a process, certainly, but that's not the same as making it impossible. — Peter, Feb 14 '16 at 01:11
@ohad not sure what you mean with "kernel permissions" in the nt kernel, but it doesn't matter. I'll write a kernel driver which overwrites the code of your process with something else, or directly accesses the storage medium ignoring the lock. That's just moving the goal post, the principal remains the same. — Voo, Feb 15 '16 at 15:55

score 7 · Accepted Answer · answered Feb 13 '16 at 12:38

No, this is not possible. The very essence of an account with administrative privileges is that they can do essentially they want. Administrators own the system. They can always take ownership of a file, no matter how you've set the permissions.

All that you're doing is making it more difficult for an administrator to change a file because they have to take ownership first. There is merit in that; it prevents even administrators from making inadvertent changes. No one "accidentally" takes ownership of a file.

The normal workarounds are either to assign everyone non-administrative accounts (which is really what you should be doing anyway), or to encrypt the file using some external means.

Bottom line: don't give people you don't trust administrative access to your machine or your files.

Yes, I agree. Encryption is the only way to make it unreadable, but that's another subject. Thanks, you confirmed what I suspected. — c00000fd, Feb 14 '16 at 01:18

score 4 · Answer 2 · answered Feb 13 '16 at 12:38

It is not possible to prevent any user with sufficient privileges from taking ownership of a file.

Administrative accounts have (or can grant themselves) any privilege - which means they can do anything they need to, including overriding access controls set by other accounts, including other administrative accounts.

The onus is normally on people using an account with administrative access to avoid doing things that compromise system integrity.

score 0 · Answer 3 · answered Feb 17 '16 at 18:45

Disclaimer: this won't be too easy.

Assuming that the goal is to prevent administrator's from using built-in OS tools and commonly used 3rd party tools from taking ownership (and you are not concerned about admin's booting alternate OSes, removing drives, and various other threats that require physical access) then the following approach will be robust.

Implement the 4 counter measures in this article. By implement I mean work with your vendors to obtain hardware and software that supports the technologies described.
Implement a file system filter driver that acts as Early Launch Anti Malware (ELAM) and stops the take ownership operation as needed. I believe the ELAM APIs are not publicly available. If that's true you'll have to work w MS directly to get access.

Without physical access this approach will also (at least by design) defeat malware, including root kits. Note that "physical access" includes locking down remote access controllers like iDRAC and iLO that permit remote access to functionality that is traditionally only available via local access, including boot of an alternate OS via remote media.

If you want a simpler but less robust approach you can implement only the file system filter driver (not as an ELAM).

Is it possible to disallow taking ownership of a file?

3 Answers3