I am having one situation related to security and need your valuable suggestions or solutions.
So the story goes like this:
There is a Windows (consider Win 7 and above. This is an end user machine and not any server) machine and it is having 2 desktop applications. One is written in C++ and the other is written in C#.
One application emits some data as configurations which I need to save on this machine (on disk), later when another application wakes up, it will pick the configuration file and do whatever it is supposed to do.
Both the applications are 2 different application. There is no relationship between them except that they are installed on the same machine.
Now, from the security and consistency point of view, I do not want that user access this file and play with this/update it or delete it.
So my question here is what is the best way (or safest place) to secure the file on the Windows machine so that user will not be able to temper it? The amount of config data is very small - consider 3 string fields like first name, last name and age in json format.
Thanks.
Related
We are trying to make sure that our users can't under any circumstances alter the files in any way.
Is there a way to prevent normal non-admin users from interacting with files that my application need to interact with?
Say there are N amount of files that my application interact with. Once the application get a reference for these files then users should not be able to interact with them. Right now I am making a copy of the files and hide them under appdata in my applications folder.
This works for the normal Joe, who is just doing his job and working hard as he will never try to look for trouble down there, but the bored Adam will probably go and play hacker when nothing special happens.
The files are storred on the local computer until they are sent, with another application, to a remote database. The time between the files first interaction with my application and the event of being transferred to the database can range from seconds to weeks.
I have a local database on the computer, but I can not store the files there because there can be N amount files that needs to be transferred and some other data needs to be stored in the database as well. I believe the max capacity of the database is 4 GB, which would make it impossible to store the data.
The computer is also not under my supervision, so I am not allowed to change OS settings, and I can't store the data remotely either, because if I could then it would be sent to the remote server.
My current solution hack solution would be to hold the file in memory (so it can't be changed durring the process) create a hash of it, which I will store in the database, and then make X amount of copies that I will spread out in different parts of the computer. This way Adam needs to touch more than one file, which are all in a non-disclossed location, to be able to sabotage everything. This would also require him to search in a couple of folders to find the files, which would require work and which Adam will probably try to avoid.
The problem here is that I don't really know what kind of sociopathic maniac Adam is, so even by going this far would still be throwing die with god.
That's why I am wondering if there are places where Adam can't touch or ways to hide/lock the files in a way so that Adam can't alter och destroy them?
Is there a way to prevent normal non-admin users from interacting with files that my application need to interact with?
Programs run in the context of the user that starts them. If your user is not able to edit a file, your program won't be able to edit it, either. If your program is able to edit the file, your users WILL ultimately have that ability. There is no separating the two.
As an example, zip files also support password protection. So you could put everything in a password-protected zip file, where the password is embedded/obfuscated in your application and not known to the user. In this case, it will be extremely difficult for the user to open the zip file in the normal way. But even then, the user will still able to tamper with the file via a text editor. They may not come out with anything useful, but they did still modify the file.
The one thing you can do is detect the tampering. You can compute and save a hash value for your files, and check the contents of the file match the saved hash.
One other thing option you may have is using multiple databases. I don't know what kind of database you have that's giving you a 4 GB limit, but if it's something file-based like sqlite there's no reason not to have multiple files. Keep in mind, though, the user still has the ability to tamper with these files in a text editor. If it's SQL Server Express, the version with the 4 GB limit has been end-of-life and fully-unsupported for several years and should not be used! Newer releases of Express are still free and now offer a 10 GB limit, and also allow you to have multiple databases with a 10 GB limit each.
I've got a small program I made to improve on simple work efficiencies. In effect it's just an application that has direct links to applications and websites, allows text input and formats it appropriately so this information to be stored and recalled quickly.
This has been running for years on our corporate machines (running Windows 7 and 8) just by emailing the .exe to myself with a password protected zip and starting it on the machine, but we're now upgrading to Windows 10 machines and these are locked down to the point where no foreign software can be ran. I know the reasons for this are security, but I am looking for a way around it or alternative way of deploying the software.
I am looking into getting the software authorised for use, but in effect this will be unlikely given how often I update and change things on it (or business changes frequently in terms of process and operation) - it would just be inconvenient.
It's a C# program. NET 4.5.
I can't get admin permission on these machines. Is there anything I can do?
Thanks!
If you cannot run untrusted applications, then instead build your solution within another product that you can use.
For example-- you can probably do all of your direct links to websites and any text input / reformatting you might need with javascript entirely within an html page. Open the .html file with your browser and there you have it.
You can also do many things with VBA scripts in Excel or Word documents.
You may also be able to use powershell to do your automation.
Please, have patience if this question is long but I have never worked on this complex program which was developed by colleague of mine before I was recruited.
We have this web application running on .NET Framework v2.0 CLR. Anyway, this program is not natively written in C# but we must use a framework called Instant Developer which converts the code in a .NET application. The application runs in a Windows Server 2012 R2 under IIS 8 and with SQL Server 2014.
So, inside this application there is a very big directory called "photos" which contains a photo of each work a user completes. When the program was developed, our customer told us that very few photos were compulsory so my colleague thought that a unique directory was enough. But in this years the requirements have changed. Therefore, now a photo must be take for each work and so that directory today contains more than 5 millions of files. Consequently, it is not openable anymore by Windows Explorer, if I try the server blocks. Last month, our server was attacked by a crypto locker and my bosses decided to pay in order to get a decrypter otherwise our customer will ask us to pay a fine for each file which was lost. As soon as we have finished to recover our files, my boss asked to divide this huge directory into sub directories like /year/month/day. This can be easily done by a python script but the problem is that our customer registered in SAP a link to see that photo of this form
https://www.ourserver.it/applicationName/photo/file.jpg
and they told us they will refuse to change it.
So, I would like to change the path of the photo in the database and, somehow, give instructions to IIS 8 in order that when it receives a URL like the previous, it should query the database, discover the new path and then redirect the client to a new URL like:
https://www.ourserver.it/applicationName/photo/year/month/day/file.jpg
This event is not catchable by the framework we use, that's why I need to program IIS in this way.
How can I achieve this? I don't care if I have to write code, not a problem. But if this could be done reasonably without going mad I would really appreciate your help.
I'm developing a small C# Winforms game and one of the things I'm wanting to do is save application specific data. However, I'm struggling a bit to understand the correct place this should be stored.
As far as I can see there are several types of data an application might store and accordingly different places for it to be held:
1. Application properties
- Settings such as where the application stores it's data, who the last logged in user was, the default window size, position etc. Is this information suppose to go into app.settings, or perhaps into the registry?
2. Global application data
- This might include sprites and other game assets that are used by every user that runs the application on this machine. Where would this common data be stored? It's worth noting that in my particular case this data will not be provided with a default install and users will be allowed to add their own game assets which should be then available to any other user on the same computer.
3. User specific application data
- This would include a users saved game files, their specific application preferences and their profile information. Where should I be storing this?
Ideally I wish my application to be compatible with Windows XP, Vista, 7 and of course the upcoming Windows 8 - I don't know if this changes the methods but hopefully it will assist with providing advice.
This is my first foray into this kind of development and I would appreciate some 'best practice' advice.
Question 2:
I suggest using a subfolder in Environment.SpecialFolder.CommonAppData (maps to C:\ProgramData on Windows7 by default). This is a hidden folder.
Question 3:
Put those files into Environment.SpecialFolder.AppData(maps to C:\Users\[USERNAME]\AppData\Roaming by default, hidden folder), if you expect that the user does not intend to backup / modify those. Some games also put their save games into Environment.SpecialFolder.MyDocuments, probably because it is easier for users to find them there.
Example code:
var directory = Environment.GetFolderPath(Environment.SpecialFolder.AppData);
using (FileStream fs = File.Create(Path.Combine(directory, "myAppDirectory", "myFile.txt")))
{
// write data
}
For a complete list of special folders on Windows follow the link
SIDENOTES
Users are allowed to move around those directories, so make sure you use the code provided above
There is a bug in Windows 7 x64 regarding CommonAppData directory and the bug gets more severe in Windows 8 x64 CP. I've blogged about this: problems after moving CommonAppData directory on Windows 7 x64 and Windows 8 x64
Application properties - Most application data you described should be specific to each user and put in Environment.SpecialFolder.ApplicationData (the %appdata% environment variable). I would generally avoid putting data in the registry as it is hard to find, edit, and fix. If you do not want data to be associated with the user when they are roaming (maybe the files are big or connected to the computer in someway) then you can put it in Environement.SpecialFolder.LocalApplicationData (the `%localappdata% environment variable).
Global application data - I would put global application data in Environment.SpecialFolder.CommonApplicationData ( the %programdata% environment variable)
User specific application data - Same as #1, except when the data is intended to be easily found by the user (e.g. saved games) in which case it should go in Environment.SpecialFolder.MyDocuments, which has no associated environment variable.
As yas4891 points out you can reliably get these folder paths using Environment.GetFolderPath() using one of the Environment.SpecialFolder` values listed here.
I'm writing an application using windows form and c# 3.0. I was wondering if there is a recommended way of persist data across time. However, i do not want to touch the machine it is running on, as a result, i would like to store the data in the binary executable (preferably, due to the need not clutter up the user's folder with random config files).
So if anyone have any ideas of how to do this, it would be much appreciated!
Jason
If you're looking to store configuration information - app.config or a settings file is probably the way to go.
If you are storing user data - you should really allow the user to control where it is saved - and prefer the \User\Username folder on the machine.
As for what format to store it in ... you can certainly use something like SQLLite - but there's nothing wrong with XML either, if you're not storing true binary data. .NET offers a number of APIs to transform object graphs into XML representations - which you may want to look into.
If you don't want to store anything on the local user's machine, you probably want a network database - or a webservice - to which you upload the users data. Just make sure your users understand this - many don't like their private data being sent somewhere on the web without their consent.
You really don't want to go about modifying the executable file. Many virus scanners quarantine executables that are constantly changing in content or size - as a way to proactively prevent viruses and malware from infecting the machine. You don't want to go there.
Do not modify the executable. Adding a single SQLite database is a much better solution.
Isolated storage is another alternative.
Doesn't clutter install directory
Doesn't cause issues with AnitVirus software
Part of the OS including .Net objects, don't need to install anything else
Already works with the Windows security model
Exists on a per user basis, so saved settings are separated for each user
Can serialize/deserialize obects directly into it
SQLite is what your looking for and is compatible with c#
If you dont want to store data in a SQLite db on the end users PC you could call out to a web service on another server which stores it's data in SQL Server or something else.
I don't believe a windows form project can modify itself like that (I've tried to find a way to do this myself some time ago). Some form of hosted application such as a silverlight application (where the application is essentially a zip file) may be the way to go. Silverlight applications would require the silverlight plugin though (and I'm still not sure if a silverlight application is allowed to modify itself).
I would think that one config file of some sort would be prefereable, and not leave much clutter.
One way to ensure that your applicaiton is entirely self contained would be to use a program like ThinStall after you have compiled the project. This virtualises the application and could give it it's own file system or registry internally to the .exe file.
One way for an executable to change itself would be to put another executable inside it, (embed as a resource then extract it to a file when needed). This executable could then modify the first, however I don't think ther'es any framework for it to do that, so it would require knowing excatly what to change and where.