A quick demonstration on how to control access to files in real-time.
As described in the Microsoft documentation, the control access to a file can be added or removed by obtaining the FileSecurity object from that file, then modified, and then applied back to the file.
In this example I choose to change the file access properties of a simple icon file “icon.ico”:
So that before modifying the properties it can be opened straightforwardly as follows:
To demonstrate how we can alter the access properties in real-time, create a C# console application in Visual Studio and add the following code. Note the use of WindowsIdentity.GetCurrent() api used to obtain the necessary username/domain details of the current Windows user:
using System;
using System.IO;
using System.Security.AccessControl;
using System.Security.Principal;
namespace FileControlAccess
{
class Program
{
static void Main(string[] args)
{
try
{
const string fileName = "c:\\data\\icon.ico";
var domain = WindowsIdentity.GetCurrent().Name;
Console.WriteLine("Adding access control entry for " + fileName);
// Add the access control entry to the file.
AddFileSecurity(fileName, domain, FileSystemRights.ReadData, AccessControlType.Deny);
Console.WriteLine("Removing access control entry from " + fileName);
// Remove the access control entry from the file.
RemoveFileSecurity(fileName, domain, FileSystemRights.ReadData, AccessControlType.Deny);
Console.WriteLine("Done.");
}
catch (Exception e)
{
Console.WriteLine(e);
}
}
// Adds an ACL entry on the specified file for the specified account.
public static void AddFileSecurity(string fileName, string account,
FileSystemRights rights, AccessControlType controlType)
{
// Get a FileSecurity object that represents the current security settings.
FileSecurity fSecurity = File.GetAccessControl(fileName);
// Add the FileSystemAccessRule to the security settings.
fSecurity.AddAccessRule(new FileSystemAccessRule(account,
rights, controlType));
File.SetAccessControl(fileName, fSecurity);
}
// Removes an ACL entry on the specified file for the specified account.
public static void RemoveFileSecurity(string fileName, string account,
FileSystemRights rights, AccessControlType controlType)
{
// Get a FileSecurity object that represents the current security settings.
FileSecurity fSecurity = File.GetAccessControl(fileName);
// Remove the FileSystemAccessRule from the security settings.
fSecurity.RemoveAccessRule(new FileSystemAccessRule(account,
rights, controlType));
File.SetAccessControl(fileName, fSecurity);
}
}
}
On stepping through the code, we first add an access control entry to DENY the users ‘Read’ access to the ‘icon.ico’ file:
On inspecting the file’s Security properties we observe that this Deny access property has indeed been added:
And when we try to open the file we observe that we can’t:
We then step further through the code and remove the access control property we just added:
This is also observed in the file’s security properties as shown:
So that we can now open the file unopposed as before:
