windows 7 user privilege and security review

5
votes

I want to show my users (and myself) what their privileges are and give them the ability to elevate their privilege (or get someone else to) before running the MakeSymbolicLink command.

The equivalent command line command (mklink) requires elevation of permissions. I want to give my users lots of functional shortcuts through a thick next of directories. The links span disks and remote file systems.

WHat is the programmatic (c# or C++) canonical way to dig out security settings an privilage for a particular user while logged in ?

2
visual-c++c#-4.0windows-7symlink
Good question although you might want to accept some more answers on your questions before you expect people to help you out. - Tim
possible duplicate of how can you easily check if access is denied for a file in .NET? - Sheng Jiang 蒋晟
To call GetNamedSecurityInfo, SE_SECURITY_NAME privilege must be enabled for the calling process. SE_BACKUP_NAME & SE_RESTORE_NAME is probably OK for GetFileSecurity. But again, if you invoked those privileges, most likely you don't have an access denied problem to deal with. If you intend to run under a least privileged account, you can inform the user which permission is denied on which file/folder and what to do (e.g. over the shoulder elevation or switch user). - Sheng Jiang 蒋晟
@Sheng, it's funny you vote for close and then kind of answer in a comment... And as for being duplicate, from the OP's reference to elevation, I take it he's referring to UAC limitations (dr, please correct me if I'm wrong). That's different than checking single files. And even if it isn't, the other question says nothing about C++. This question could at least complete the other one, IMO. - eran

2 Answers

0
votes

You can use WMI and tap into Win32_LogicalFileSecuritySetting or a few other tables and enumerate permissions based on UNC or local file path locations.

System.DirectoryServices namespace in C# also allows you to enumerate permissions on a given user.

So you have a few chioces.

0
votes

You can find a C++ implementation of what you're looking for in the following CodeProject article: Riding the Vista UAC elevator, up and down. Makes it easy to get the current elevation level, and create new processes in a different elevation level. Really nice stuff, which works in Windows 7 as well.