The disk contains sensitive files like ssh private keys, and they are saved in plain format. My computer has only one user account. Applications such as ssh.exe
require access to these files, and I also want to view them in text editors such as Visual Studio Code.
The problem is that certain malicious applications can scan the disk and read these secret files, even if they don’t modify them. These applications may run with elevated privileges, like Administrator or SYSTEM.
I am looking for a solution to restrict access to these sensitive files by allowing only a selected group of programs to access them. Essentially, I need a white-list that specifies which applications can access a particular folder and read its files.
Thank you for your help.
2 Answers
Introduction
The security of sensitive data is a critical concern for every user. Windows 10 offers various features to protect your files and folders from unauthorized access. However, sometimes certain applications can read your secret files, which can pose a threat to the security of your data. This blog post will discuss how you can prevent other apps from reading a certain file in Windows 10.
Encrypt your Files
One of the easiest and most secure ways to protect your secret files is to encrypt them. Windows 10 comes with a built-in encryption tool called BitLocker. BitLocker allows you to encrypt your entire drive or specific files and folders. When you encrypt a file, only authorized users can access it, and it remains protected from unauthorized access.
To encrypt a file using BitLocker, follow these steps:
- Right-click on the file you want to encrypt and select “Properties.”
- Click on the “Advanced” button in the “General” tab.
- Check the box that says “Encrypt contents to secure data.”
- Click “OK” and then “Apply.”
- You will be prompted to back up your encryption key. Follow the instructions to do so.
Once you have encrypted your file, only authorized users can access it. Therefore, even if an application tries to read the file, it won’t be able to do so without the encryption key.
Use Windows Defender Application Control
Windows Defender Application Control (WDAC) is a powerful feature that allows you to control which applications can run on your computer. WDAC uses a combination of code integrity policies and rule-based policies to control which applications can run. You can use WDAC to create a whitelist of applications that are allowed to access your secret files, and block all other applications.
To use Windows Defender Application Control, follow these steps:
- Open the “Group Policy Editor” by typing “gpedit.msc” in the Run dialog box (Win + R).
- Navigate to “Computer Configuration” > “Windows Settings” > “Security Settings” > “Application Control Policies” > “AppLocker” > “Executable Rules.”
- Right-click on the white space in the right pane and select “Create Default Rules.”
- Click “Yes” when prompted to create default rules.
- Click on “Executable Rules” and then click “Create New Rule.”
- Select “Deny” and then click “Next.”
- Choose “Path” and then click “Next.”
- Browse to the folder where your secret file is located, and select the file.
- Click “Next” and then “Create.”
This will create a rule that denies access to the specified file by all applications except the ones in the whitelist.
Use Access Control Lists (ACLs)
Access Control Lists (ACLs) are a set of permissions that determine who can access a file or folder and what they can do with it. You can use ACLs to restrict access to your secret files and folders to only authorized users and applications.
To use ACLs to protect your files, follow these steps:
- Right-click on the file you want to protect and select “Properties.”
- Click on the “Security” tab.
- Click on the “Edit” button.
- Click on the “Add” button and then enter the name of the user or application you want to allow access to the file.
- Select the user or application from the list and then click “OK.”
- Click on the newly added user or application and select the permissions you want to grant.
- Click “OK” to save the changes.
This will restrict access to the file to only the authorized users and applications.
Use a Third-Party Tool
If you want more advanced control over which applications can access your secret files and folders, you can use a third-party tool like Sandboxie or McAfee Application Control. These tools allow you to create a whitelist of applications that are allowed to access your files and folders and block all other applications.
Sandboxie is a free tool that creates a sandbox environment for your applications, allowing you to control which applications can access your files and folders. McAfee Application Control is a paid tool that provides advanced control over which applications can run on your computer.
Conclusion
Protecting your secret files and folders from unauthorized access is crucial for maintaining the security of your data. Windows 10 offers various built-in features that allow you to control which applications can access your files and folders. You can use encryption, access control lists, and Windows Defender Application Control to protect your files. If you need more advanced control, you can use third-party tools like Sandboxie or McAfee Application Control. By following these steps, you can ensure that only authorized users and applications can access your secret files and folders.
I discovered that Windows offers Minifilter drivers that could potentially solve this problem, but I wasn’t able to find a readily available solution to use, apart from some security software like Comodo Internet Security and Huorong Security, which can be quite heavy on system resources.
If you’re interested in creating a solution yourself, you could start by trying out CynicalApe/Minifilter-CSHARP-ConsoleApp.
Ideally, I would prefer if Microsoft could simply incorporate this feature into their existing Controlled folder access feature in Windows Defender.