I am thinking about such design:
having a list of executable files authorized to access some specific files(I only prevent access to some sensitive data and do not plan to operate on all files), I want my filter to guarantee the executable list integrity and prevent any unauthorized access of other executables.
I plan to prevent any write, rename, delete of authorized executable list, protecting their integrity.
Then in pre create I want to check if the path of IO initiator is the authorized list or not.
Do you consider this applicable?
If you want to restrict control communication with your filter to just a
particular service you can use a service SID.
Aside from that, if you want to restrict to certain applications this is as
good as you can get with a path based policy. The next step up is to
whitelist the applications based on some kind of hash (for example).
-scott
OSR
@OSRDrivers
wrote in message news:xxxxx@ntfsd…
I am thinking about such design:
having a list of executable files authorized to access some specific files(I
only prevent access to some sensitive data and do not plan to operate on all
files), I want my filter to guarantee the executable list integrity and
prevent any unauthorized access of other executables.
I plan to prevent any write, rename, delete of authorized executable list,
protecting their integrity.
Then in pre create I want to check if the path of IO initiator is the
authorized list or not.
Do you consider this applicable?
Thanks for the reply scott