How in Windows to restrict access of applications to files?

There is a desire in Windows to restrict access to individual applications to files.
As I imagine it in a minimal version:
- there is a list in which for every exe file contains the files in which directories it is possible to read and what to write;
- has a driver (?), which intercepts the calls of WinAPI "open file", checks the list and if the directory is not available, returns an error code of "access denied".

I am sure that there must be ready for this task. Please advise.
April 7th 20 at 11:00
5 answers
April 7th 20 at 11:02
Solution
Read about APPLocker or Controlled folder access in WIndows Defender is
this is what you need.
Controlled access folder -- as I understand the description, not quite that, but more or less from the desired category. Thank you. However, too simple settings and works only in 10-ke, and me for 7 key is also necessary. But for lack of a better need to try. - Reyes_Moen commented on April 7th 20 at 11:05
April 7th 20 at 11:04
https://staffcounter.net/ru/dlp/
able to restrict access to the job search ##.exe to the tracks on the mask. for example, you may prohibit the browser or Skype to access files outside their profile folders - i.e. user will not be able to predacity file, send it to the cloud. disk or send on Skype.
April 7th 20 at 11:06
Your defense is circumvented by a call to some other programs.
If the directory with the archive of photos can only read smotrelka pictures, and write only filemanager, as vagrants Trojan cryptographer will be able to roam? - Reyes_Moen commented on April 7th 20 at 11:09
@Reyes_Moen, If the program uses the standard dialog "Open file", this file can be an executable (. exe). In the menu, except the "Select" may be "Open". - laurianne commented on April 7th 20 at 11:12
April 7th 20 at 11:08
There are ACLs on the NTFS level to assign to a particular group of special permissions.
No driver needed, everything is solved at the OS level.

Another good practice this assignment via group policy list of allowed applications to run and an appointment as a shell, for example, a customer or 1C WKS (workstation)

Describe your task and not your vision of how it can be implemented
You offer not. Your solution is how to restrict the user, I want one user to control access to files with specific applications.

This is not some objective "for business", and the result of paranoia about what apps are doing who knows what. Similar concerns about uncontrolled access to the network, I authorize the program "Windows Firewall Control", and to control access to files while nothing found.

Example: if I have on CD is bordovy the file, then the graphics driver to read absolutely no reason (regardless of the reason: whether hackers exploited a hole in the driver, whether the driver manufacturer's spying, or some kind of virus in driver finish). - Reyes_Moen commented on April 7th 20 at 11:11
@Reyes_Moen, Start this application from the individual user, it is standard practice. Even better run in virtual reality.

Or go to the SELINUX system, there is such a perversion - Celine56 commented on April 7th 20 at 11:14
Yes, to impose restrictions on the user - it is indeed standard practice. However, practice shows that this practice does not meet the requirements - for example, in Android there is only one user, and access is by application. - Thora.Erns commented on April 7th 20 at 11:17
@Thora.Erns, You're a little do not know or confuse the terminology. In Android have multi-user mode
https://source.android.com/devices/tech/admin/mult...

Each application runs in a sandbox details here
https://source.android.com/security/overview/app-s...

In windows, a slightly different scenario so the security model simpler
https://www.winhelponline.com/blog/control-apps-ac...

The author of the same topic, or tablets from paranoia, or to study the architecture of windows. But I think just read the so-called "Security Expert's" - Celine56 commented on April 7th 20 at 11:20
@Celine56, I think this paranoia is justified, so no pills!
What architecture of windows is not that it is impossible to do as I want? - Reyes_Moen commented on April 7th 20 at 11:23
@Reyes_Moen, to Teach for a long time

And no who you are lets create a filter driver of the file system, load the data into the access list and is filtered to the extent of your paranoia.

https://docs.microsoft.com/en-us/windows-hardware/... - Celine56 commented on April 7th 20 at 11:26
@Celine56, the Standard scheme of using mobile - etnopoliticheskaia, and the protection is at the application level. The mechanism of this protection - Yes, "sandbox"; this causes great problems when you need to share some data between multiple applications without access privileges of other applications. - Thora.Erns commented on April 7th 20 at 11:29
@Celine56, it is clear that most can write. Although there are possible hemorrhoids with driver signing, etc.
Surprisingly, no ready. The idea is not so much exotic. - Reyes_Moen commented on April 7th 20 at 11:32
April 7th 20 at 11:10
You need a protection program against unauthorized access

Find more questions by tags System administrationWindowsInformation security