Get a handle on directory security with .NET's DirectorySecurity object

by Tony Patton | May 08, 2007 7:00:00 AM

Tags: .NET, Microsoft .NET, Tony Patton, FileSystemAccessRule class, DirectorySecurity, access control, FileSystemAuditRule, access control list, DirectorySecurity class, .NET Newsletter

Takeaway: By using .NET's DirectorySecurity class and the Directory class's methods, you can easily manipulate a file system's security to control user access to directories. Tony Patton offers more details in this article.

An important topic when working with .NET directories is security; that is, you want the users who need to access a directory to have it and restrict other users from the directory. This article examines the details of controlling and setting security at the directory level.

Controlling access

.NET's Directory class allows you to access (and possibly modify) its access control list (ACL) via a DirectorySecurity object with the following methods:

• GetAccessControl: Returns the Windows ACL for a directory as a DirectorySecurity object.
• SetAccessControl: Applies ACL entries contained in a DirectorySecurity object to the specified directory.

An understanding of the DirectorySecurity class is necessary to properly use these methods, so let's dig further.

DirectorySecurity

The DirectorySecurity class defines how directory accesses are audited. This class is an abstraction of the underlying Windows file security system (it is part of the System.Security.AccessControl namespace).

In this system, each directory has a discretional ACL that controls directory access. Also, a system ACL determines what access control attempts are audited. It utilizes two additional classes -- FileSystemAccessRule and FileSystemAuditRule -- to handle directory access and auditing respectively.

The FileSystemAccessRule class represents an abstraction of an underlying access control entry (ACE) that specifies a user account, the type of access to provide (read, write, etc.), and whether to allow or deny that right. This class can also specify how access rules are propagated to child objects. The FileSystemAuditRule class represents an ACE that defines an audit rule for a file or directory.

New instances of the FileSystemAccessRule and FileSystemAuditRule classes are necessary to add one of the new rules to a directory by way of the DirectorySecurity class. We begin with working with access rights. When using these classes with the DirectorySecurity class, you will need to create new instances of the objects. Listing A contains the syntax for each class.

The first parameter specifies the user, group, or identity for which this rule applies. The second parameter is the FileSystemRights enumeration which allows you to specify what the user (from the first parameter) can do. It has a number of possible values, including CreateDirectories, CreateFiles, Delete, FullControl, ListDirectory, and more.

The final parameter for the FileSystemAccessRule class allows you to specify whether the user can or cannot perform the task from the second parameter. The AccessControlType enumeration includes two possible values: allow and deny. The third parameter for the FileSystemAuditRule class allows you to choose Failure, None, or Success from the AuditFlags enumeration to set the level of auditing. The FileSystemAuditRule constructor is overloaded; this approach is the most basic.

Directory access

The Directory class is one way to work with a directory's ACL entries. To do so, follow these steps:

1. Instantiate a DirectorySecurity object via the GetAccessControl method of the Directory class.
2. Work with the directory access rules with the DirectorySecurity object. For example, the AddAccessRule method allows you to add a new rule. The new rule is defined as a FileSystemAccessRule object, which includes the identity (user, group, etc.), system rights, and the ACL.
3. Call the SetAccessControl method of the Directory class (with the DirectorySecurity object as a parameter) to make the ACL changes permanent.

The C# code in Listing B adds an ACL entry to each directory on the C: drive. The entry provides full control to a specific user (Domain\TechRepublicUser). Also, it removes another access rule that denies full control to another user (Domain\Tester). Listing C contains the equivalent VB.NET code.

Audit trail

The Directory class also allows you to work with directory security audit rules. Auditing resembles the previous example where access rules are manipulated -- the difference is using the FileSystemAuditRule class as opposed to the FileSystemAccessRule class. The C# code in Listing D resembles the previous example; the exception is that audit rules are added and removed from the directories' ACL. Listing E contains the equivalent VB.NET code.

Miss a column?

Check out the .NET Archive, and catch up on the most recent editions of Tony Patton's column.

Tony Patton began his professional career as an application developer earning Java, VB, Lotus, and XML certifications to bolster his knowledge.