Tracking and Controlling Network Access To Local Files with CBFS Filter
Sometimes, users—either intentionally or unintentionally—share files and directories, making them accessible across the network. They may also place sensitive files into shared directories without realizing it. As a result, it is often necessary to protect files and directories from remote access while still allowing local processes to access them.
CBFilter provides powerful mechanisms to track, monitor, and control filesystem operations, whether they originate locally or from other systems over the network.
In Windows, network access to files is managed by various kernel-level components that operate within the context of the system process. This process accesses files using their local names, making it challenging to identify remote access.
To address this challenge, we will leverage two great features of Windows:
- Before any operation on a file, a process must open that file.
- Windows components and applications often include supplementary information with each file create or open request, known as Extra Create Parameters (ECP).
When a file is opened by the subsystem that implements remote access, it uses one of the two system-defined ECPs:
- ECP_SRV_OPEN - used with SMB sharing, contains the SRV_OPEN_ECP_CONTEXT structure as a payload
- ECP_NFS_OPEN - used with NFS sharing, contains the NFS_OPEN_ECP_CONTEXT structure as a payload.
If you need to deny remote access to a file — either unconditionally or based on a certain criteria — you can use the BeforeCreateFile and BeforeOpenFile events.
To add a rule for these events, use the following call:
filter.AddFilterRule("C:\\path\\to\\directory\\*.*", Constants.ACCESS_NONE, Constants.FS_CE_BEFORE_CREATE | Constants.FS_CE_BEFORE_OPEN, Constants.FS_NE_NONE);
In the event handlers for these events, the application should call the GetRemoteAccessInformation method. This method returns the name of the share (or export alias in NFS) and populates a buffer provided by the application with the address of the remote system.
It is crucial that the application has the CollectRemoteOpenInformation configuration setting enabled when using this method. You can enable it with the following call:
filter.Config("CollectRemoteOpenInformation=True");
If the share or export alias name returned by the method is non-empty, it indicates that the file or directory was accessed remotely. The buffer size in the case of remote access should be larger than 0 as well. The address stored in the buffer can then be used for more granular control over access.
If the application determines that access to the file or directory should be denied, it can do so by setting the Status parameter to the desired value, such as STATUS_ACCESS_DENIED (the numeric code is 0xC000 0022) and then setting the ProcessRequest parameter to false.
Getting Started with CBFilter
You can find an evaluation version of the SDK for your platform and programming language in the Download Center. After downloading and installing the SDK, you will receive a library, sample code, and comprehensive documentation on your system. The documentation includes a "Getting Started" section with programming instructions. Additionally, free technical support is available during the evaluation phase.
We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@callback.com.