Is it possible to disallow taking ownership of a file?

Question

I'm curious if there's a way to prevent users (including the ones belonging to the admin group) from taking ownership of a file?

I originally create such file from my service that is running under Local System account. I then set that file's DACL to D:(A;OICI;GA;;;SY) to let only SYSTEM account to have full access, and set my service as an owner:

DWORD dwRes = ::SetNamedSecurityInfo(
    strDataFilePath,
    SE_FILE_OBJECT,
    OWNER_SECURITY_INFORMATION,  // change only the object's owner
    pMyServiceUserSid,           // User SID for my service
    NULL,
    NULL,
    NULL);

But after all that is done I can still take ownership of this file via Windows Explorer as an administrator:

Answer 1

No, this is not possible. The very essence of an account with administrative privileges is that they can do essentially they want. Administrators own the system. They can always take ownership of a file, no matter how you've set the permissions.

All that you're doing is making it more difficult for an administrator to change a file because they have to take ownership first. There is merit in that; it prevents even administrators from making inadvertent changes. No one "accidentally" takes ownership of a file.

The normal workarounds are either to assign everyone non-administrative accounts (which is really what you should be doing anyway), or to encrypt the file using some external means.

Bottom line: don't give people you don't trust administrative access to your machine or your files.

Answer 2

It is not possible to prevent any user with sufficient privileges from taking ownership of a file.

Administrative accounts have (or can grant themselves) any privilege - which means they can do anything they need to, including overriding access controls set by other accounts, including other administrative accounts.

The onus is normally on people using an account with administrative access to avoid doing things that compromise system integrity.

Answer 3

Disclaimer: this won't be too easy.

Assuming that the goal is to prevent administrator's from using built-in OS tools and commonly used 3rd party tools from taking ownership (and you are not concerned about admin's booting alternate OSes, removing drives, and various other threats that require physical access) then the following approach will be robust.

1. Implement the 4 counter measures in this article. By implement I mean work with your vendors to obtain hardware and software that supports the technologies described.
2. Implement a file system filter driver that acts as Early Launch Anti Malware (ELAM) and stops the take ownership operation as needed. I believe the ELAM APIs are not publicly available. If that's true you'll have to work w MS directly to get access.

Without physical access this approach will also (at least by design) defeat malware, including root kits. Note that "physical access" includes locking down remote access controllers like iDRAC and iLO that permit remote access to functionality that is traditionally only available via local access, including boot of an alternate OS via remote media.

If you want a simpler but less robust approach you can implement only the file system filter driver (not as an ELAM).