The FileUser demo shows how (on Windows NT only) to get a file’s current SD, and then update it by adding either an AccessAllowed ACE or an AccessDenied ACE for a given user. To keep this example simple, we’re using a command-line, Win32 console application. The program expects a filename, a username, and a + (plus sign, specifying access allowed) or – (minus sign, specifying access denied) to be passed from the command line.
NOTE
The FileUser demo is included on the CD accompanying this book, in the Chapter 20 folder. This demo makes use of advanced security features that are currently supported only on Windows NT. Windows 98 will simply return a failure status on most functions used by this program.
This example should give you some understanding of how Windows NT’s object-level security is set or modified for an object. You can experiment and modify this sample program to allow no access rights or all access rights, or to change ownership of the file. By changing the DACL type, you can also use this code to modify the security on other types of objects.
The FileUser demo, along with the information presented in the preceding sections, should give you a clear idea of how data objects (or functionality) can be secured on a Windows NT server application by using the security functions built into NT. Now we will look at another, complementary approach to securing information, which both Windows 98 and NT support fully: encryption.