c++windowswinapiwindows-securitydacl

Is it possible to disallow taking ownership of a file?


I'm curious if there's a way to prevent users (including the ones belonging to the admin group) from taking ownership of a file?

I originally create such file from my service that is running under Local System account. I then set that file's DACL to D:(A;OICI;GA;;;SY) to let only SYSTEM account to have full access, and set my service as an owner:

DWORD dwRes = ::SetNamedSecurityInfo(
    strDataFilePath,
    SE_FILE_OBJECT,
    OWNER_SECURITY_INFORMATION,  // change only the object's owner
    pMyServiceUserSid,           // User SID for my service
    NULL,
    NULL,
    NULL);

But after all that is done I can still take ownership of this file via Windows Explorer as an administrator:

enter image description here


Solution

  • No, this is not possible. The very essence of an account with administrative privileges is that they can do essentially they want. Administrators own the system. They can always take ownership of a file, no matter how you've set the permissions.

    All that you're doing is making it more difficult for an administrator to change a file because they have to take ownership first. There is merit in that; it prevents even administrators from making inadvertent changes. No one "accidentally" takes ownership of a file.

    The normal workarounds are either to assign everyone non-administrative accounts (which is really what you should be doing anyway), or to encrypt the file using some external means.

    Bottom line: don't give people you don't trust administrative access to your machine or your files.