We have an application which is not per user and can be used by multiple users s

Question

We have an application which is not per user and can be used by multiple users simultaneously. Data is also shared by all users.
The path to the data folders we use is ProgramDataOurAppNameData (post Vista), and we give full control to all users, so that our application run by them can make changes to files under the Data folder.

Now the issue with this is, now any other application (malware/virus) can also modify files - i.e. an attack can be made on our application's data files. Our applications is a Win32 Desktop application.

Is there any way in which we can restrict access to the Data folder to only our applications?

Explanation / Answer

Applications on Windows Operating Systems run in the context of the user executing it and therefore inherit the ACL of that user.

When looked at abstractly your program is doing nothing more than Word (winword.exe) or Excel (excel.exe) is doing with .doc or .xls files. You shouldn't need to restrict access of the data to only the application, risk reduction comes though:

- limiting the users who have access to the data (ACL's, aka file permissions, ideally though a group)
- limiting the operations a user can do (e.g. application installation to prevent malware)
- application whitelisting
- anti-malware protection
- auditing for data integrity

Related Questions

Navigate

• Browse (All)
• Browse W
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.