3
0
Let's say I want a specific folder X in My Documents to only be accessible by a specific application.
The Windows permissions don't allow me to do this easily, is there any solution which can do this?
Tamara Wijsman
Posted 2010-08-22T14:43:58.733
Reputation: 54 163
3
Although a bit extreme, the way I implement this in my home is to have virtual machines for various purposes.
This way I can have a virtual machine for various purposes, finance, programming, day to day, gaming, etc. And on the host you can secure the VMs appropriately and even give accounts on host/guest VMs in various capacities if you are looking to address a multiple user situation.
Like I said, I know extreme but for me, it does the job exactly how I want it to be since I use a handful of environments.
Chris
Posted 2010-08-22T14:43:58.733
Reputation: 588
2
You can use a Host-based Intrusion Prevention System (HIPS), which wikipedia defines as :
an installed software package which monitors a single host for suspicious activity by analysing events occurring within that host.
Such a system will have to be taught : It will ask permission for each program and for each folder and will let you permit or block the access or permit unrestricted access to all folders. Many HIPS suites also come bundled with a firewall.
Some free HIPS programs are listed in the article (and its comments):
Best Free Intrusion Prevention and Detection Utility for Home Use (HIPS).
My own favorite firewall+HIPS product is Online Armor Free.
Another very good one is Comodo Internet Security (CIS).
harrymc
Posted 2010-08-22T14:43:58.733
Reputation: 306 093
+1 for mentioning that it's a HIPS. I'm already aware of Comodo, but such systems cause a lot of overhead... But when I think of it again, besides the permission to access a folder an application may also not access another process as that would work around the security. So I guess there is no other solution than to either split up in several light environments or by using heavy protection... – Tamara Wijsman – 2010-09-05T19:58:44.433
I'm using Online Armor, and the only time I experience slow-downs is when I'm copying an enormous number of files, because HIPS will verify each file. For these cases, I turn off Online Armor temporarily. I see HIPS as essential security, as well as giving me info about the behavior of products I test, as I don't like them to get out of their designated directories or to call home. – harrymc – 2010-09-05T20:29:01.560
0
I think this might be possible with Sandboxie, but I'm not sure.
Hello71
Posted 2010-08-22T14:43:58.733
Reputation: 7 636
This indeed provides isolation, but the difference between that solution and the question is that permanent storage of the data is needed... In Sandboxie you have to explicitly recover the files from the sandbox and you can't configure it to do it automatically as far as I can see. – Tamara Wijsman – 2010-08-22T15:05:30.907
0
You should make a user with restricted permissions and "run as" the program using that user. I did that with Filezilla FTP server recently.
dratini0
Posted 2010-08-22T14:43:58.733
Reputation: 41
Creating an account for each application is not feasible... I will have to login every time and the data would be shattered all over the Users folder. – Tamara Wijsman – 2010-09-05T14:15:21.193
1Multiple accounts (not per application but per environment like finance) or VM approach (although this one has a huge resource impact) seems like a good high level idea, still wondering if it can be done at a lower level... If not, this is probably the closest solution. – Tamara Wijsman – 2010-09-05T14:12:56.467
I know in linux this can be done with SELinux although I am not familiar enough with Windows to comment on that environment. – Chris – 2010-09-06T14:01:52.030