0

Suppose a user is a member of a group, and they open (in the Windows API sense) a file whose DACL grants access to that group.

Then, the user stops being a member of the group.

Since access checks are performed at the time of opening the file, the user can still access the file, indefinitely, using the open handle. If new data is written in to the file, the user can access the new data.

How can this situation be detected and prevented?

user253751
  • 3,885
  • 3
  • 19
  • 15
  • If I remember correctly if you remove a user from a group nothing changes for the user unless unless the logon tickets wear out or the user performs a logoff+logon (not sure about unlocking a locked system). – Robert Aug 14 '22 at 15:45
  • @Robert ah so the administrator has to forcibly log off the user after changing their permissions? – user253751 Aug 15 '22 at 19:34
  • There seem to be tools to force the system to update the tokens but I don't have any experience on how reliable such tools work or what side-effects may arise. – Robert Aug 15 '22 at 19:41

1 Answers1

-1

Once the file has been accessed by the user, a reasonable risk model would assume that the entire contents of the file have been read. What you can do, is audit future access attempts, as explained here https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder

BoWa
  • 9
  • 1
  • I would like to modify the data in the file after first confirming that unauthorized users can't access the new data. I know that obviously someone who had access at some point in time could have read the data at that time. The problem is they can continue reading new data written to the same file. – user253751 Aug 12 '22 at 06:07