t-d-k / LibreCrypt

LibreCrypt: Transparent on-the-fly disk encryption for Windows. LUKS compatible.
https://LibreCrypt.tdksoft.co.uk
740 stars 71 forks source link

Allow restrictions actions of LibreCrypt via registry #43

Open Magissia opened 8 years ago

Magissia commented 8 years ago

We should be able to restrict specific parts of LibreCrypt via registry to allow system administrators to have a better management of who can do what.

Containers are defined as a crypted file containing the data in this message, volume are crypted volume, disks are crypted disks.

Restrictions could be stored per users in HKCU\Software\Policies\t-d-k\LibreCrypt and per machines in HKLM\Software\Policies\t-d-k\LibreCrypt , obviously the HKLM path will affect all users.

These keys should be available both per user and per machines, if a key is missing, it is treated as true. If some of these settings can be managed by the user itself, theses rules should silently overwrite user's settings. Please note This suggestion is bound to #38 as it probably require rewriting big chunk of code to check these settings correctly. It aims to improve security on multi-user systems. System is always elevated, as it is not affected by UAC, we should not need to make exception to the HKCU or HKLM rules for NT AUTHORITY\System Users running as NT SERVICE have their own home folder and registry hive like any user, we should not need to make exception to the HKCU or HKLM rules for them, an administrator can manage the settings for these services using regedit or policies as usual. If this project need userspace filesystem to mount a container, volume or drive only for one user, we can make use of dokany. (Open source + Signed drivers, works from Win7 to 10)

AllowMountingContainer AllowMountingContainerWithoutElevation (don't require UAC elevation to mount) AllowUnmountingContainer AllowUnmountingContainerWithoutElevation (don't require UAC elevation to unmount) AllowMountingVolume AllowUnmountingVolume DisallowMountingVolumeWithoutElevation (Require elevation for action) DisallowUnmountingVolumeWithoutElevation (Require elevation for action) AllowMountingDisk AllowUnmountingDisk DisallowMountingDiskWithoutElevation (Require elevation for action) DisallowUnmountingDiskWithoutElevation (Require elevation for action) AllowRemovableMediaVolume (Includes mounting and unmounting to prevent data loss) AllowRemovableMediaVolumeWithoutElevation (Don't require UAC elevation to (un)mount) AllowCreatingVolume (If disabled, even administrators cannot create crypted volumes, but still can create containers) DisallowCreatingVolumeWithoutElevation AllowCreatingDisk (If disabled, even administrators cannot crypt whole disk, but can still create containers) DisallowCreatingDiskWithoutElevation AllowCreatingRemovableMediaVolume (Same as AllowCreatingVolume, but affects removable media) AllowCreatingRemovableMediaVolumeWithoutElevation (Don't require UAC elevation for action) AllowCreatingRemovableMediaDisk (Same as AllowCreatingDisk, but affects removable media) AllowCreatingRemovableMediaDiskWithoutElevation (Don't require UAC elevation for action) MountContainerForCurrentUser (Mount containers only for current user, regardless of user choice) MountContainerForAllUsersWithoutElevation (Mounting for all users doesn't require UAC elevation) AllowMountVolumeForAllUsers (Allow user to mount volume for all users) AllowMountDiskForAllUsers (Allow user to mount disk for all users) UnmountingOtherUserContainersRequireElevation (Unmounting containers you didn't mount require elevation) UnmountingOtherUserVolumeRequireElevation (Unmounting volumes you didn't mount require elevation) UnmountingOtherUserDiskRequireElevation (Unmounting disks you didn't mount require elevation)

HKLM specifics rules UserBeforeMachine (HKCU rules take precedence over HKLM rules in case of conflict) SystemMountContainerForAllUsers (Containers mounted by NT AUTHORITY\System are mounted for everyone by default) SystemMountVolumeForAllUsers (Volumes mounted by NT AUTHORITY\System are mounted for everyone by default) SystemMountDiskForAllUsers (Disks mounted by NT AUTHORITY\System are mounted for all users by default) ServiceMountContainerForAllUsers.$ServiceName (Containers mounted by $ServiceName are mounted for everyone by default) ServiceMountVolumeForAllUsers.$ServiceName (Volumes mounted by $ServiceName are mounted for everyone by default) ServiceMountDiskForAllUsers.$ServiceName (Disks mounted by $ServiceName are mounted for everyone by default)

t-d-k commented 8 years ago

Do you mean to do a check in the driver or application? If in the application, Windows Group Policies can already do that. If in the driver, this wouldn't help #38 because any malicious app would probably run under the user's account anyway.