determining the host from which a file IO request originated in a file system filter

OSR_Community_User · June 17, 2004, 4:19pm

Hi All,

I’ve been out of the filtering business for a long time. IIRC, it was relatively easy, using a file system filter, to determine the user that initiated a given file IO, even If that user was requesting file access over the network (by tracking security information collected during file open).

Anyway, taking identification a step further, in the case of file IO coming in through the file server, should it be possible to determine the remote host from which a particular file IO originated? IIRC, all remote calls would come in in the context of the SRV service (or something like that) so that was a clue that it was coming in through a non-local user. Should it be possible to determine the network address of the host on which the file request was initiated? Or would I need to filter some at some higher level - up in user land, somewhere?

Any hints on if or how this could be done would be appreciated.

Thanks!

OSR_Community_User · June 19, 2004, 8:24am

I don’t know of any way to achieve this - and I’ve had people ask
numerous times over the years!

Regards,

Tony

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Joel Smith
Sent: Thursday, June 17, 2004 4:18 PM
To: ntfsd redirect
Subject: [ntfsd] determining the host from which a file IO request
originated in a file system filter

Hi All,

I’ve been out of the filtering business for a long time. IIRC, it was
relatively easy, using a file system filter, to determine the user that
initiated a given file IO, even If that user was requesting file access
over the network (by tracking security information collected during file
open).

Anyway, taking identification a step further, in the case of file IO
coming in through the file server, should it be possible to determine
the remote host from which a particular file IO originated? IIRC, all
remote calls would come in in the context of the SRV service (or
something like that) so that was a clue that it was coming in through a
non-local user. Should it be possible to determine the network address
of the host on which the file request was initiated? Or would I need to
filter some at some higher level - up in user land, somewhere?

Any hints on if or how this could be done would be appreciated.

Thanks!

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com To unsubscribe
send a blank email to xxxxx@lists.osr.com

OSR_Community_User · June 19, 2004, 10:03am

(Must’ve missed the original question)
How about the user name itself? \Domain\Server\Share - that gives the Server
name, which is enough.

Tony Mason wrote:

I don’t know of any way to achieve this - and I’ve had people ask
numerous times over the years!

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Joel Smith
Sent: Thursday, June 17, 2004 4:18 PM
To: ntfsd redirect
Subject: [ntfsd] determining the host from which a file IO request
originated in a file system filter

Anyway, taking identification a step further, in the case of file IO
coming in through the file server, should it be possible to determine
the remote host from which a particular file IO originated? IIRC, all
remote calls would come in in the context of the SRV service (or
something like that) so that was a clue that it was coming in through a
non-local user. Should it be possible to determine the network address of the host
on which the file request was initiated? Or would I need to filter some at some
higher level - up in user land, somewhere?

–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.

OSR_Community_User · June 19, 2004, 10:26am

I’m not sure this would even work with SRV, would it? For example, if
that is a DFS name, I don’t know that it would positively identify the
file server, only the DFS server.

And, of course, this mechanism probably won’t work at all when you
consider other file servers.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the Next OSR File Systems Class October
18, 2004 in Silicon Valley!

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dejan Maksimovic
Sent: Saturday, June 19, 2004 10:03 AM
To: ntfsd redirect
Subject: Re: [ntfsd] determining the host from which a file IO request
originated in a file system filter

(Must’ve missed the original question)
How about the user name itself? \Domain\Server\Share - that gives
the Server
name, which is enough.

Tony Mason wrote:

I don’t know of any way to achieve this - and I’ve had people ask
numerous times over the years!

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Joel Smith
Sent: Thursday, June 17, 2004 4:18 PM
To: ntfsd redirect
Subject: [ntfsd] determining the host from which a file IO request
originated in a file system filter

Anyway, taking identification a step further, in the case of file IO
coming in through the file server, should it be possible to determine
the remote host from which a particular file IO originated? IIRC, all
remote calls would come in in the context of the SRV service (or
something like that) so that was a clue that it was coming in through
a
non-local user. Should it be possible to determine the network
address of the host
on which the file request was initiated? Or would I need to filter
some at some
higher level - up in user land, somewhere?

–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · June 19, 2004, 1:42pm

I forgot this won’t tell the physical server used for the access. Is this even
possible from user space? (via open network files)

Tony Mason wrote:

I’m not sure this would even work with SRV, would it? For example, if that is a
DFS name, I don’t know that it would positively identify the file server, only the
DFS server.

And, of course, this mechanism probably won’t work at all when you
consider other file servers.
(Must’ve missed the original question)
How about the user name itself? \Domain\Server\Share - that gives
the Server
name, which is enough.

–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.