Deny access to documents outside application

Question

I am developing an application which keeps document repository and provide searching from it. I want to prevent users to view/add/modify/delete documents outside application. Currently, i am storing documents in a normal folder structure in windows, which is easily accessible to any authorized windows user. I am seeking for some methodology using which, I can ensure that, none other than my application can access those documents.

Is there any library or technique available, using which I can hide those files from windows user, but my application can use it in normal way?

Answer 1

If you have to save documents in the windows and want to restrict users then try saving them in encrypted form with possibly a password. So that even if someone has access to it, it becomes useless for him. Something like this should work for encryption

 using (var fileStream = File.OpenWrite(theFileName))
 using (var memoryStream = new MemoryStream())
 {
// Serialize to memory instead of to file
var formatter = new BinaryFormatter();
formatter.Serialize(memoryStream, customer);

// This resets the memory stream position for the following read operation
memoryStream.Seek(0, SeekOrigin.Begin);

// Get the bytes
var bytes = new byte[memoryStream.Length];
memoryStream.Read(bytes, 0, (int)memoryStream.Length);


var encryptedBytes = yourCrypto.Encrypt(bytes);
fileStream.Write(encryptedBytes, 0, encryptedBytes.Length);
}

And you can use this library for password protection and zipping

Answer 2

If you are on Windows Server 2012, you can use Windows Server 2012 Dynamic Access Control which brings 2 features called SDDL (Security Descriptor Definition Language) and DACL (Dynamic Access Control).

Here are a couple articles worth reading:

• http://blogs.technet.com/b/wincat/archive/2012/07/20/diving-deeper-into-windows-server-2012-dynamic-access-control.aspx
• http://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/SIA341

With dynamic access control, you can define which users view / edit which files and folders based on classification and user claims.