I have a file system filter driver based on filemon’s source.
Although i filter FastIoQueryNetworkOpenInfo, access to shared folders
is still possible.
How can it be?
What to do in order to block access from remote ?
Thanks!
I have a file system filter driver based on filemon’s source.
Although i filter FastIoQueryNetworkOpenInfo, access to shared folders
is still possible.
How can it be?
What to do in order to block access from remote ?
Thanks!
> Although i filter FastIoQueryNetworkOpenInfo, access to shared folders
is still possible.
At least you have to filter both FastIO and IRP path.
L.
You mean, i have to filter FastIoQueryNetworkOpenInfo and
IRP_MJ_CREATE (and get the path from the irp params) ?
Isn’t filtering FastIoQueryNetworkOpenInfo only shold be enough ?
Anything else i need to filter in order to block remote access ?
On 6/21/05, Ladislav Zezula wrote:
> > Although i filter FastIoQueryNetworkOpenInfo, access to shared folders
> > is still possible.
>
> At least you have to filter both FastIO and IRP path.
>
> L.
>
> —
> Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
The name of this operation is misleading. Despite the name being
FastIoQueryNetworkOpenInfo, both local and remote files can be opened
and queried via this path. Also, both network and local files can be
opened via the IRP Create path as well.
I believe the history here is that this interface was added as a
performance improvement targeting remote files for things like Explorer
that wanted a quicker way to query information about the file. For
remote files, this is a bigger win since now you only need one network
request to get this information instead of three (open, query, close).
It turns out that this optimized path also speeds up gathering this
information for local files as well, but the name still reflects the
original intent for which this interface was created.
Regards,
Molly Brown
Microsoft Corporation
This posting is provided “AS IS” with no warranties and confers no
rights.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Omer B
Sent: Tuesday, June 21, 2005 4:48 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Filtering of FastIoQueryNetworkOpenInfo() doesn’t
block remote access
You mean, i have to filter FastIoQueryNetworkOpenInfo and IRP_MJ_CREATE
(and get the path from the irp params) ?
Isn’t filtering FastIoQueryNetworkOpenInfo only shold be enough ?
Anything else i need to filter in order to block remote access ?
On 6/21/05, Ladislav Zezula wrote:
> > Although i filter FastIoQueryNetworkOpenInfo, access to shared
> > folders is still possible.
>
> At least you have to filter both FastIO and IRP path.
>
> L.
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Use of filemon sources require payment to sysinternals.com. Also please let
us know what product will be using this code so we can avoid it. Basing
code upon those old filemon sources is doomed to failure. Use the examples
provided by Microsoft. They work and are far more up to date and stable.
“Omer B” wrote in message news:xxxxx@ntfsd…
I have a file system filter driver based on filemon’s source.
Although i filter FastIoQueryNetworkOpenInfo, access to shared folders
is still possible.
How can it be?
What to do in order to block access from remote ?
Thanks!
In fact, FastIoQueryNetworkOpenInfo has not much to do with SMB. The only
reason is that SMB has some “file information” structure, which is called
“network open info” in the OS itself. The only “networkish” thing in the
structure is that it is directly used in SMB protocol (and included in the OS
itself to simplify and speed up SMB implementation).
Surely not all SMB/SRV is based on it. SRV also uses usual CREATE path.
To block network opens, you can try to query the token information from the
Parameters.Create.SecurityContext - use the impersonation token, gets it groups
and see whether the “network” pseudo-group is among them.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Omer B”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, June 21, 2005 3:48 PM
Subject: Re: [ntfsd] Filtering of FastIoQueryNetworkOpenInfo() doesn’t block
remote access
You mean, i have to filter FastIoQueryNetworkOpenInfo and
IRP_MJ_CREATE (and get the path from the irp params) ?
Isn’t filtering FastIoQueryNetworkOpenInfo only shold be enough ?
Anything else i need to filter in order to block remote access ?
On 6/21/05, Ladislav Zezula wrote:
> > Although i filter FastIoQueryNetworkOpenInfo, access to shared folders
> > is still possible.
>
> At least you have to filter both FastIO and IRP path.
>
> L.
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
>Use of filemon sources require payment to sysinternals.com. Also please let
us know what product will be using this code so we can avoid it
David, sometimes, an existing source can be used for learning and
understanding principles - and that’s the only thing I’m doing with
it.
In fact, FastIoQueryNetworkOpenInfo has not much to do with SMB
So i need to filter create and fastio, or only create ?
To block network opens, you can try to query the token information from the
Parameters.Create.SecurityContext - use the impersonation token, gets it groups
and see whether the “network” pseudo-group is among them.
How to query the token information? and what do you mean by “network group”?
You said: “I have a file system filter driver based on filemon’s source.”.
It is not a good example for production code. It was a very good example of
some of the hacks that can be used for development. You cannot unload file
system filters, except for mini-filters, and have a stable production
system.
“Omer B” wrote in message news:xxxxx@ntfsd…
>Use of filemon sources require payment to sysinternals.com. Also please
>let
>us know what product will be using this code so we can avoid it
David, sometimes, an existing source can be used for learning and
understanding principles - and that’s the only thing I’m doing with
it.
> In fact, FastIoQueryNetworkOpenInfo has not much to do with SMB
So i need to filter create and fastio, or only create ?
>To block network opens, you can try to query the token information from the
>Parameters.Create.SecurityContext - use the impersonation token, gets it
>groups
>and see whether the “network” pseudo-group is among them.
How to query the token information? and what do you mean by “network group”?