Since this is ultimately covered by the [MS-CFB] Open Specification Document, I will present a means of examples of using python to alter Windows specific file-system security.
Python provides a means for native file manipulation using the win32security module. This module allows the application in question call all relevant Win32 Security API functions. These functions will correlate to the exact security API function names found in the Windows API. These functions can be found on MSDN at the following URL: http://msdn.microsoft.com/en-us/library/aa375742(v=VS.85).aspx. However, the module in question only implements a subset of these functions, and the entire list of supported functions can be found here: http://docs.activestate.com/activepython/2.4/pywin32/win32security.html. Displaying the current file-system controls of a file
# obtain security descriptor of said owner of filesecdesc = win32security.GetFileSecurity("C:\Temp\VerifySchTask.txt", win32security.OWNER_SECURITY_INFORMATION)
# the sec_desc object now contains everything we need in regards to file permissions.# we can now call any of the various win32 security api functions.
# for example, let's get the owner's sid:osid = secdesc.GetSecurityDescriptorOwner()#display owner sidprint osid
# now let’s just dump the security descriptor object to viewprint secdescAltering the ACL of a Fileimport win32security
# apply the security descriptor to the aforementioned file.SetFileSecurity( FILE, DACL_SECURITY_INFORMATION , secdesc)Encryption
The contents of the file can be encrypted and stored in user-defined streams. In fact, if you review [MS-OFFCRYPTO], you will see this is how the latest version of Office 2010 works. It takes the XML content and stores it in a special stream that contains the encrypted-form of the working document. However, it is much easier to present/store the file on a file-system that is encrypted (e.g. on Windows you have BitLocker, EFS, etc…).However, if you wish to perform your own security mechanism, you can review the \EncryptedPackage stream structure as defined in Section 220.127.116.11 of [MS-OFFCRYPTO]. This stream contains the entire office document in compressed & encrypted form.