Information Security
windows .net windows-permissions service-account
Updated Mon, 29 Aug 2022 19:39:32 GMT

Windows directory that is only accessible by SYSTEM user


I am developing a .NET Windows Service using C# that needs to download an executable file and run it.

I need the Windows Service to run with SYSTEM privileges in order to allow it to install software updates among other things.

For security reasons, I would like to download the executable to a location that is only accessible by the SYSTEM user, or at least can only be written to by the SYSTEM user.

I want to avoid a situation where a standard user could potentially copy an executable file to a known location and then for the Windows Service to run that executable with SYSTEM privileges. This is something that I'm very keen to avoid.

I've looked around, but I'm not sure what would be best for the above scenario. Should I be creating a download folder in the current user's temp directory (e.g. Path.GetTempPath() in .NET) and setting some sort of ACL for this before downloading the executable file into it, or is there another directory on the system that is already well secured and is not accessible by standard users or even to other users generally?




Solution

If your service is running as SYSTEM and you use Path.GetTempPath(), .NET should return the full path of a temp file in the SYSTEM account's temp directory.

This directory is by default protected by ACLs (Access Control Lists) that only allow the SYSTEM user to write to the directory. Therefore, if you place your downloaded file in that directory, it should be safe. It should not be possible for a non-admin user to write a rogue file (or any file) into the SYSTEM temp directory.

Notes:

  1. The SYSTEM temp folder is typically one of these: C:\Windows\system32\config\systemprofile\AppData\Local\Temp or C:\Windows\Temp - you can see for yourself what ACLs Windows puts on these directories.
  2. A local admin user can gain SYSTEM privileges and then write any file to any folder (including the SYSTEM temp folder), but that is a less interesting scenario in your case probably.