• Article

Exercise 3: Securing a File Object

In this exercise, you will install and run a service that creates a log file that should be accessible to the user. However, the user will be unable to write to or delete the file unless the service sets the appropriate security attributes, including the integrity level, which will allow the user to access the file.

Task 1 - Install and Run the Service

As part of this task, you will install the service using the installutilcommand line utility and then run it for the first time. You will see that the user is receiving an “Access Denied” error when attempting to delete the file created by the service.

  1. Using Visual Studio, open the Session0_Starter solution.
  2. Build the entire solution (make note of the build configuration you used – Debug/Release, x86/x64).
  3. To open an administrative command prompt, click Start, point to All Programs, point to Accessories, and then right-click Command Prompt. Click Run as administrator.

  4. Use the cd command to navigate to the output directory to which the application binaries were deployed. For example, if the output directory is C:\Session0_Starter\Debug, then use the following commands to navigate to that directory:C:
    cd C:\Session0_Starter\Debug

  5. Issue the following command to create the LoggingService service (make sure to replace the path to the service with the path you used in step 4, and make sure to copy the space after “binPath=”).installutil LogService.exe

  6. Open the Services MMC Snap-in by clicking +R and typing services.mscinto the Run dialog box.
  7. Locate the LoggingService service, right-click it, and click Start.
  8. To open a standard command prompt, click Start, point to All Programs, click Accessories, and click Command Prompt (Note: do not run the command prompt with administrator privileges).
  9. Stop the service by going back to the Services MMC Snap-in, locating the LoggingService service, right-clicking it, and clicking Stop.
  10. Open a Windows Explorer window (by going through My Computer, or directly) and navigate to the C:\ root directory. Locate the LogService.txt file.
  11. Attempt to delete the file using Windows Explorer (right-click the file and click Delete, or press the Del key). The attempt will fail with an access denied error, because we have not authorized the user to write to or delete the file.

Task 2 - Modify the Integrity Level of the Log File

As part of this task, you will modify the integrity level of the log file created by the service. As a result, the user will be able to write to the log file and even delete it.

  1. If you haven’t done so yet, follow steps 1-5 in Task 1 to install the LoggingService service.
  2. If you haven’t done so yet after completing Task 1, make sure to stop the LoggingService service (see step 10 in Task 1).
  3. Using Visual Studio, open the Session0_Starter solution.
  4. Locate the LogService project under the Security\Managed solution folder, and open the LoggingService.cs (C#) or LoggingService.vb (Visual Basic) file.

  5. In the file, find the //TODO comment marked with ? and add the following code:IntegrityLevelHelper.SetFileIntegrityLevel(@"C:\LogService.txt", IntegrityLevel.Medium);

  6. Build the solution.

  7. Repeat steps 6-11 from Task 1. This time, the user is able to delete the log file because it is not protected by a system integrity level.

< previous | next >

Contents