#include "winlogon.h"
Include dependency graph for security.c:
Go to the source code of this file.
Functions | |
| PSECURITY_DESCRIPTOR | ConvertToSelfRelative (_In_ PSECURITY_DESCRIPTOR AbsoluteSd) |
| Converts an absolute security descriptor to a self-relative format. | |
| BOOL | CreateWinstaSecurity (_Out_ PSECURITY_DESCRIPTOR *WinstaSd) |
| Creates a security descriptor for the default window station upon its creation. | |
| BOOL | CreateApplicationDesktopSecurity (_Out_ PSECURITY_DESCRIPTOR *ApplicationDesktopSd) |
| Creates a security descriptor for the default application desktop upon its creation. | |
| BOOL | CreateWinlogonDesktopSecurity (_Out_ PSECURITY_DESCRIPTOR *WinlogonDesktopSd) |
| Creates a security descriptor for the default Winlogon desktop. This descriptor serves as a security measure for the winlogon desktop so that only Winlogon itself (and admins) can interact with it. | |
| BOOL | CreateScreenSaverSecurity (_Out_ PSECURITY_DESCRIPTOR *ScreenSaverDesktopSd) |
| Creates a security descriptor for the screen saver desktop. | |
| BOOL | AllowWinstaAccessToUser (_In_ HWINSTA WinSta, _In_ PSID LogonSid) |
| Assigns access to the specific logon user to the default window station. Such access is given to the user when it has logged in. | |
| BOOL | AllowDesktopAccessToUser (_In_ HDESK Desktop, _In_ PSID LogonSid) |
| Assigns access to the specific logon user to the default desktop. Such access is given to the user when it has logged in. | |
| BOOL | AllowAccessOnSession (_In_ PWLSESSION Session) |
| Assigns both window station and desktop access to the specific session currently active on the system. | |
Variables | |
| static SID_IDENTIFIER_AUTHORITY | NtAuthority = {SECURITY_NT_AUTHORITY} |
Macro Definition Documentation
◆ DESKTOP_ADMINS_LIMITED
| #define DESKTOP_ADMINS_LIMITED |
Value:
Definition at line 19 of file security.c.
◆ DESKTOP_ALL
| #define DESKTOP_ALL |
Value:
Definition at line 14 of file security.c.
◆ DESKTOP_INTERACTIVE_LIMITED
| #define DESKTOP_INTERACTIVE_LIMITED |
Value:
Definition at line 22 of file security.c.
◆ DESKTOP_WINLOGON_ADMINS_LIMITED
| #define DESKTOP_WINLOGON_ADMINS_LIMITED (STANDARD_RIGHTS_REQUIRED | DESKTOP_ENUMERATE) |
Definition at line 25 of file security.c.
◆ GENERIC_ACCESS
| #define GENERIC_ACCESS |
Value:
(GENERIC_READ | GENERIC_WRITE | \
Definition at line 35 of file security.c.
◆ WINSTA_ADMINS_LIMITED
| #define WINSTA_ADMINS_LIMITED (WINSTA_READATTRIBUTES | WINSTA_ENUMERATE) |
Definition at line 33 of file security.c.
◆ WINSTA_ALL
| #define WINSTA_ALL |
Value:
Definition at line 27 of file security.c.
Function Documentation
◆ AllowAccessOnSession()
| BOOL AllowAccessOnSession | ( | _In_ PWLSESSION | Session | ) |
Assigns both window station and desktop access to the specific session currently active on the system.
- Parameters
-
[in] Session A pointer to an active session.
- Returns
- Returns TRUE if the function has successfully assigned access to the current session, FALSE otherwise.
Definition at line 1392 of file security.c.
1394{
1398 PSID LogonSid;
1399
1400 /* Get required buffer size and allocate the TOKEN_GROUPS buffer */
1402 TokenGroups,
1403 TokenGroup,
1404 0,
1405 &GroupsLength))
1406 {
1408 {
1409 ERR("AllowAccessOnSession(): Unexpected error code returned, must be ERROR_INSUFFICIENT_BUFFER (error code %lu)\n", GetLastError());
1411 }
1412
1415 {
1418 }
1419 }
1420
1421 /* Get the token group information from the access token */
1423 TokenGroups,
1424 TokenGroup,
1425 GroupsLength,
1426 &GroupsLength))
1427 {
1428 ERR("AllowAccessOnSession(): Failed to retrieve the token group information (error code %lu)\n", GetLastError());
1429 goto Quit;
1430 }
1431
1432 /* Loop through the groups to find the logon SID */
1434 {
1436 == SE_GROUP_LOGON_ID)
1437 {
1439 break;
1440 }
1441 }
1442
1443 /* Allow window station access to this user within this session */
1445 {
1447 goto Quit;
1448 }
1449
1450 /* Allow application desktop access to this user within this session */
1452 {
1453 ERR("AllowAccessOnSession(): Failed to allow application desktop access to the logon user!\n");
1454 goto Quit;
1455 }
1456
1457 /* Get the length of this logon SID */
1458 SidLength = GetLengthSid(LogonSid);
1459
1460 /* Assign the window station to this logged in user */
1462 &Session->LogonId,
1463 LogonSid,
1464 SidLength))
1465 {
1467 goto Quit;
1468 }
1469
1471
1472Quit:
1474 {
1475 RtlFreeHeap(RtlGetProcessHeap(), 0, TokenGroup);
1476 }
1477
1479}
BOOL AllowWinstaAccessToUser(_In_ HWINSTA WinSta, _In_ PSID LogonSid)
Assigns access to the specific logon user to the default window station. Such access is given to the ...
Definition: security.c:875
BOOL AllowDesktopAccessToUser(_In_ HDESK Desktop, _In_ PSID LogonSid)
Assigns access to the specific logon user to the default desktop. Such access is given to the user wh...
Definition: security.c:1166
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:616
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:634
BOOL WINAPI GetTokenInformation(HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, LPVOID TokenInformation, DWORD TokenInformationLength, PDWORD ReturnLength)
Definition: security.c:411
Definition: ms-dtyp.idl:198
Definition: setypes.h:1025
BOOL WINAPI SetWindowStationUser(IN HWINSTA hWindowStation, IN PLUID pluid, IN PSID psid OPTIONAL, IN DWORD size)
Definition: winsta.c:419
Referenced by HandleLogon().
◆ AllowDesktopAccessToUser()
Assigns access to the specific logon user to the default desktop. Such access is given to the user when it has logged in.
- Parameters
-
[in] Desktop A handle to a desktop where the user is given access to it. [in] LogonSid A pointer to a logon SID that represents the logged in user in question.
- Returns
- Returns TRUE if the function has successfully assigned access to the user, FALSE otherwise.
Definition at line 1166 of file security.c.
1169{
1171 SECURITY_DESCRIPTOR AbsoluteSd;
1173 PSID WinlogonSid = NULL, AdminsSid = NULL, InteractiveSid = NULL, NetworkServiceSid = NULL; /* NetworkServiceSid is a HACK, see the comment in CreateWinstaSecurity for information */
1177
1178 /* Create the Winlogon SID */
1180 1,
1182 0, 0, 0, 0, 0, 0, 0,
1183 &WinlogonSid))
1184 {
1185 ERR("AllowDesktopAccessToUser(): Failed to create the Winlogon SID (error code %lu)\n", GetLastError());
1187 }
1188
1189 /* Create the admins SID */
1191 2,
1193 DOMAIN_ALIAS_RID_ADMINS,
1194 0, 0, 0, 0, 0, 0,
1195 &AdminsSid))
1196 {
1197 ERR("AllowDesktopAccessToUser(): Failed to create the admins SID (error code %lu)\n", GetLastError());
1198 goto Quit;
1199 }
1200
1201 /* Create the interactive logon SID */
1203 1,
1204 SECURITY_INTERACTIVE_RID,
1205 0, 0, 0, 0, 0, 0, 0,
1206 &InteractiveSid))
1207 {
1208 ERR("AllowDesktopAccessToUser(): Failed to create the interactive SID (error code %lu)\n", GetLastError());
1209 goto Quit;
1210 }
1211
1212 /* HACK: Create the network service SID */
1214 1,
1216 0, 0, 0, 0, 0, 0, 0,
1217 &NetworkServiceSid))
1218 {
1219 ERR("AllowDesktopAccessToUser(): Failed to create the network service SID (error code %lu)\n", GetLastError());
1220 goto Quit;
1221 }
1222
1223 /*
1224 * Build up the DACL size. This includes a number
1225 * of four ACEs of four different SIDs. The first ACE
1226 * gives full desktop access to Winlogon, the second one gives
1227 * generic limited desktop access to admins. The last two give
1228 * full power to both interactive logon users and logon user as
1229 * well.
1230 */
1237
1238 /* Allocate the DACL now */
1240 HEAP_ZERO_MEMORY,
1241 DaclSize);
1243 {
1245 goto Quit;
1246 }
1247
1248 /* Initialize it */
1250 {
1251 ERR("AllowDesktopAccessToUser(): Failed to initialize DACL (error code %lu)\n", GetLastError());
1252 goto Quit;
1253 }
1254
1255 /* First ACE -- Give full desktop access to Winlogon */
1257 ACL_REVISION,
1258 0,
1259 DESKTOP_ALL,
1260 WinlogonSid))
1261 {
1262 ERR("AllowDesktopAccessToUser(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
1263 goto Quit;
1264 }
1265
1266 /* Second ACE -- Give limited desktop access to admins */
1268 ACL_REVISION,
1269 0,
1270 DESKTOP_ADMINS_LIMITED,
1271 AdminsSid))
1272 {
1273 ERR("AllowDesktopAccessToUser(): Failed to set ACE for admins (error code %lu)\n", GetLastError());
1274 goto Quit;
1275 }
1276
1277 /* Third ACE -- Give full desktop access to interactive logon users */
1279 ACL_REVISION,
1280 0,
1281 DESKTOP_ALL,
1282 InteractiveSid))
1283 {
1284 ERR("AllowDesktopAccessToUser(): Failed to set ACE for interactive SID (error code %lu)\n", GetLastError());
1285 goto Quit;
1286 }
1287
1288 /* Fourth ACE -- Give full desktop access to logon user */
1290 ACL_REVISION,
1291 0,
1292 DESKTOP_ALL,
1293 LogonSid))
1294 {
1295 ERR("AllowDesktopAccessToUser(): Failed to set ACE for logon user SID (error code %lu)\n", GetLastError());
1296 goto Quit;
1297 }
1298
1299 /* HACK: Fifth ACE -- Give full desktop to network services */
1301 ACL_REVISION,
1302 0,
1303 DESKTOP_ALL,
1304 NetworkServiceSid))
1305 {
1306 ERR("AllowDesktopAccessToUser(): Failed to set ACE for network service SID (error code %lu)\n", GetLastError());
1307 goto Quit;
1308 }
1309
1310 /* Initialize the security descriptor */
1312 {
1313 ERR("AllowDesktopAccessToUser(): Failed to initialize absolute security descriptor (error code %lu)\n", GetLastError());
1314 goto Quit;
1315 }
1316
1317 /* Set the DACL to the descriptor */
1319 {
1320 ERR("AllowDesktopAccessToUser(): Failed to set up DACL to absolute security descriptor (error code %lu)\n", GetLastError());
1321 goto Quit;
1322 }
1323
1324 /* Conver it to self-relative format */
1325 RelativeSd = ConvertToSelfRelative(&AbsoluteSd);
1327 {
1328 ERR("AllowDesktopAccessToUser(): Failed to convert security descriptor to self relative format!\n");
1329 goto Quit;
1330 }
1331
1332 /* Assign new security to desktop based on this descriptor */
1335 {
1336 ERR("AllowDesktopAccessToUser(): Failed to set desktop security descriptor (error code %lu)\n", GetLastError());
1337 goto Quit;
1338 }
1339
1341
1342Quit:
1344 {
1345 FreeSid(WinlogonSid);
1346 }
1347
1349 {
1350 FreeSid(AdminsSid);
1351 }
1352
1354 {
1356 }
1357
1358 /* HACK */
1360 {
1362 }
1363 /* END HACK */
1364
1366 {
1368 }
1369
1371 {
1372 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
1373 }
1374
1376}
PSECURITY_DESCRIPTOR ConvertToSelfRelative(_In_ PSECURITY_DESCRIPTOR AbsoluteSd)
Converts an absolute security descriptor to a self-relative format.
Definition: security.c:64
BOOL WINAPI AllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority, BYTE nSubAuthorityCount, DWORD nSubAuthority0, DWORD nSubAuthority1, DWORD nSubAuthority2, DWORD nSubAuthority3, DWORD nSubAuthority4, DWORD nSubAuthority5, DWORD nSubAuthority6, DWORD nSubAuthority7, PSID *pSid)
Definition: security.c:674
BOOL WINAPI InitializeAcl(PACL pAcl, DWORD nAclLength, DWORD dwAclRevision)
Definition: security.c:1006
BOOL WINAPI InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor, DWORD dwRevision)
Definition: security.c:929
BOOL WINAPI AddAccessAllowedAceEx(PACL pAcl, DWORD dwAceRevision, DWORD AceFlags, DWORD AccessMask, PSID pSid)
Definition: security.c:1063
_Must_inspect_result_ _In_ PFILE_OBJECT _In_ SECURITY_INFORMATION SecurityInformation
Definition: fltkernel.h:1340
struct _ACL ACL
struct _ACCESS_ALLOWED_ACE ACCESS_ALLOWED_ACE
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1625
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
Definition: rtlfuncs.h:1626
BOOL WINAPI SetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, BOOL bDaclPresent, PACL pDacl, BOOL bDaclDefaulted)
Definition: sec.c:262
Definition: globals.h:228
Definition: ms-dtyp.idl:215
Definition: ms-dtyp.idl:293
Definition: ms-dtyp.idl:301
BOOL WINAPI SetUserObjectSecurity(_In_ HANDLE, _In_ PSECURITY_INFORMATION, _In_ PSECURITY_DESCRIPTOR)
Referenced by AllowAccessOnSession().
◆ AllowWinstaAccessToUser()
Assigns access to the specific logon user to the default window station. Such access is given to the user when it has logged in.
- Parameters
-
[in] WinSta A handle to a window station where the user is given access to it. [in] LogonSid A pointer to a logon SID that represents the logged in user in question.
- Returns
- Returns TRUE if the function has successfully assigned access to the user, FALSE otherwise.
Definition at line 875 of file security.c.
878{
880 SECURITY_DESCRIPTOR AbsoluteSd;
882 PSID WinlogonSid = NULL, AdminsSid = NULL, InteractiveSid = NULL, NetworkServiceSid = NULL; /* NetworkServiceSid is a HACK, see the comment in CreateWinstaSecurity for information */
886
887 /* Create the Winlogon SID */
889 1,
891 0, 0, 0, 0, 0, 0, 0,
892 &WinlogonSid))
893 {
894 ERR("AllowWinstaAccessToUser(): Failed to create the Winlogon SID (error code %lu)\n", GetLastError());
896 }
897
898 /* Create the admins SID */
900 2,
903 0, 0, 0, 0, 0, 0,
904 &AdminsSid))
905 {
906 ERR("AllowWinstaAccessToUser(): Failed to create the admins SID (error code %lu)\n", GetLastError());
907 goto Quit;
908 }
909
910 /* Create the interactive logon SID */
912 1,
914 0, 0, 0, 0, 0, 0, 0,
915 &InteractiveSid))
916 {
917 ERR("AllowWinstaAccessToUser(): Failed to create the interactive SID (error code %lu)\n", GetLastError());
918 goto Quit;
919 }
920
921 /* HACK: Create the network service SID */
923 1,
925 0, 0, 0, 0, 0, 0, 0,
926 &NetworkServiceSid))
927 {
928 ERR("AllowWinstaAccessToUser(): Failed to create the network service SID (error code %lu)\n", GetLastError());
929 goto Quit;
930 }
931
932 /*
933 * Build up the DACL size. This includes a number
934 * of eight ACEs of four different SIDs. The first ACE
935 * gives full winsta access to Winlogon, the second one gives
936 * generic access to Winlogon. Such approach is the same
937 * for both interactive logon users and logon user as well.
938 * Only admins are given limited powers.
939 */
951
952 /* Allocate the DACL now */
954 HEAP_ZERO_MEMORY,
955 DaclSize);
957 {
959 goto Quit;
960 }
961
962 /* Initialize it */
964 {
966 goto Quit;
967 }
968
969 /* First ACE -- Give full winsta access to Winlogon */
971 ACL_REVISION,
973 WINSTA_ALL,
974 WinlogonSid))
975 {
976 ERR("AllowWinstaAccessToUser(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
977 goto Quit;
978 }
979
980 /* Second ACE -- Give generic access to Winlogon */
982 ACL_REVISION,
984 GENERIC_ACCESS,
985 WinlogonSid))
986 {
987 ERR("AllowWinstaAccessToUser(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
988 goto Quit;
989 }
990
991 /* Third ACE -- Give limited winsta access to admins */
993 ACL_REVISION,
996 AdminsSid))
997 {
998 ERR("AllowWinstaAccessToUser(): Failed to set ACE for admins (error code %lu)\n", GetLastError());
999 goto Quit;
1000 }
1001
1002 /* Fourth ACE -- Give limited desktop access to admins */
1004 ACL_REVISION,
1006 DESKTOP_ADMINS_LIMITED,
1007 AdminsSid))
1008 {
1009 ERR("AllowWinstaAccessToUser(): Failed to set ACE for admins (error code %lu)\n", GetLastError());
1010 goto Quit;
1011 }
1012
1013 /* Fifth ACE -- Give full winsta access to interactive logon users */
1015 ACL_REVISION,
1016 NO_PROPAGATE_INHERIT_ACE,
1017 WINSTA_ALL,
1018 InteractiveSid))
1019 {
1020 ERR("AllowWinstaAccessToUser(): Failed to set ACE for interactive SID (error code %lu)\n", GetLastError());
1021 goto Quit;
1022 }
1023
1024 /* Sixth ACE -- Give generic access to interactive logon users */
1026 ACL_REVISION,
1028 GENERIC_ACCESS,
1029 InteractiveSid))
1030 {
1031 ERR("AllowWinstaAccessToUser(): Failed to set ACE for interactive SID (error code %lu)\n", GetLastError());
1032 goto Quit;
1033 }
1034
1035 /* Seventh ACE -- Give full winsta access to logon user */
1037 ACL_REVISION,
1038 NO_PROPAGATE_INHERIT_ACE,
1039 WINSTA_ALL,
1040 LogonSid))
1041 {
1042 ERR("AllowWinstaAccessToUser(): Failed to set ACE for logon user SID (error code %lu)\n", GetLastError());
1043 goto Quit;
1044 }
1045
1046 /* Eighth ACE -- Give generic access to logon user */
1048 ACL_REVISION,
1050 GENERIC_ACCESS,
1051 LogonSid))
1052 {
1053 ERR("AllowWinstaAccessToUser(): Failed to set ACE for logon user SID (error code %lu)\n", GetLastError());
1054 goto Quit;
1055 }
1056
1057 /* HACK : Ninenth ACE -- Give full winsta access to network services */
1059 ACL_REVISION,
1060 NO_PROPAGATE_INHERIT_ACE,
1061 WINSTA_ALL,
1062 NetworkServiceSid))
1063 {
1064 ERR("AllowWinstaAccessToUser(): Failed to set ACE for logon network service SID (error code %lu)\n", GetLastError());
1065 goto Quit;
1066 }
1067
1068 /* HACK: Tenth ACE -- Give generic access to network services */
1070 ACL_REVISION,
1072 GENERIC_ACCESS,
1073 NetworkServiceSid))
1074 {
1075 ERR("AllowWinstaAccessToUser(): Failed to set ACE for network service SID (error code %lu)\n", GetLastError());
1076 goto Quit;
1077 }
1078
1079 /* Initialize the security descriptor */
1081 {
1082 ERR("AllowWinstaAccessToUser(): Failed to initialize absolute security descriptor (error code %lu)\n", GetLastError());
1083 goto Quit;
1084 }
1085
1086 /* Set the DACL to descriptor */
1088 {
1089 ERR("AllowWinstaAccessToUser(): Failed to set up DACL to absolute security descriptor (error code %lu)\n", GetLastError());
1090 goto Quit;
1091 }
1092
1093 /* Convert it to self-relative format */
1094 RelativeSd = ConvertToSelfRelative(&AbsoluteSd);
1096 {
1097 ERR("AllowWinstaAccessToUser(): Failed to convert security descriptor to self relative format!\n");
1098 goto Quit;
1099 }
1100
1101 /* Set new winsta security based on this descriptor */
1104 {
1105 ERR("AllowWinstaAccessToUser(): Failed to set window station security descriptor (error code %lu)\n", GetLastError());
1106 goto Quit;
1107 }
1108
1110
1111Quit:
1113 {
1114 FreeSid(WinlogonSid);
1115 }
1116
1118 {
1119 FreeSid(AdminsSid);
1120 }
1121
1123 {
1125 }
1126
1127 /* HACK */
1129 {
1131 }
1132 /* END HACK */
1133
1135 {
1137 }
1138
1140 {
1141 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
1142 }
1143
1145}
Referenced by AllowAccessOnSession().
◆ ConvertToSelfRelative()
| PSECURITY_DESCRIPTOR ConvertToSelfRelative | ( | _In_ PSECURITY_DESCRIPTOR | AbsoluteSd | ) |
Converts an absolute security descriptor to a self-relative format.
- Parameters
-
[in] AbsoluteSd A pointer to an absolute security descriptor to be converted.
- Returns
- Returns a pointer to a converted security descriptor in self-relative format. If the function fails, NULL is returned otherwise.
- Remarks
- The function allocates the security descriptor buffer in memory heap, the caller is entirely responsible for freeing such buffer from when it's no longer needed.
Definition at line 64 of file security.c.
66{
67 PSECURITY_DESCRIPTOR RelativeSd;
68 DWORD DescriptorLength = 0;
69
70 /* Determine the size for allocating our buffer */
73 {
76 }
77
78 /* Allocate the buffer now */
79 RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
80 HEAP_ZERO_MEMORY,
81 DescriptorLength);
83 {
86 }
87
88 /* Convert the security descriptor now */
90 {
91 ERR("ConvertToSelfRelative(): Failed to convert the security descriptor to a self relative format (error %lu)\n", GetLastError());
92 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
94 }
95
96 return RelativeSd;
97}
BOOL WINAPI MakeSelfRelativeSD(PSECURITY_DESCRIPTOR pAbsoluteSecurityDescriptor, PSECURITY_DESCRIPTOR pSelfRelativeSecurityDescriptor, LPDWORD lpdwBufferLength)
Definition: sec.c:214
Referenced by AllowDesktopAccessToUser(), AllowWinstaAccessToUser(), CreateApplicationDesktopSecurity(), CreateScreenSaverSecurity(), CreateWinlogonDesktopSecurity(), and CreateWinstaSecurity().
◆ CreateApplicationDesktopSecurity()
| BOOL CreateApplicationDesktopSecurity | ( | _Out_ PSECURITY_DESCRIPTOR * | ApplicationDesktopSd | ) |
Creates a security descriptor for the default application desktop upon its creation.
- Parameters
-
[out] ApplicationDesktopSd A pointer to a created security descriptor for the application desktop.
- Returns
- Returns TRUE if the function has successfully created the security descriptor, FALSE otherwise.
Definition at line 360 of file security.c.
362{
364 SECURITY_DESCRIPTOR AbsoluteSd;
366 PSID WinlogonSid = NULL, AdminsSid = NULL, NetworkServiceSid = NULL; /* NetworkServiceSid is a HACK, see the comment in CreateWinstaSecurity for information */
369
370 /* Create the Winlogon SID */
372 1,
374 0, 0, 0, 0, 0, 0, 0,
375 &WinlogonSid))
376 {
377 ERR("CreateApplicationDesktopSecurity(): Failed to create the Winlogon SID (error code %lu)\n", GetLastError());
379 }
380
381 /* Create the admins SID */
383 2,
386 0, 0, 0, 0, 0, 0,
387 &AdminsSid))
388 {
389 ERR("CreateApplicationDesktopSecurity(): Failed to create the admins SID (error code %lu)\n", GetLastError());
390 goto Quit;
391 }
392
393 /* HACK: Create the network service SID */
395 1,
397 0, 0, 0, 0, 0, 0, 0,
398 &NetworkServiceSid))
399 {
400 ERR("CreateApplicationDesktopSecurity(): Failed to create the network service SID (error code %lu)\n", GetLastError());
401 goto Quit;
402 }
403
404 /*
405 * Build up the DACL size. This includes a number
406 * of two ACEs of two different SIDs. The first ACE
407 * gives full access to Winlogon, the last one gives
408 * limited desktop access to admins.
409 */
414
415 /* Allocate the DACL now */
417 HEAP_ZERO_MEMORY,
418 DaclSize);
420 {
422 goto Quit;
423 }
424
425 /* Initialize it */
427 {
428 ERR("CreateApplicationDesktopSecurity(): Failed to initialize DACL (error code %lu)\n", GetLastError());
429 goto Quit;
430 }
431
432 /* First ACE -- Give full desktop power to Winlogon */
434 ACL_REVISION,
435 0,
436 DESKTOP_ALL,
437 WinlogonSid))
438 {
439 ERR("CreateApplicationDesktopSecurity(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
440 goto Quit;
441 }
442
443 /* Second ACE -- Give limited desktop power to admins */
445 ACL_REVISION,
446 0,
448 AdminsSid))
449 {
450 ERR("CreateApplicationDesktopSecurity(): Failed to set ACE for admins (error code %lu)\n", GetLastError());
451 goto Quit;
452 }
453
454 /* HACK: Third ACE -- Give full desktop power to network services */
456 ACL_REVISION,
457 0,
458 DESKTOP_ALL,
459 NetworkServiceSid))
460 {
461 ERR("CreateApplicationDesktopSecurity(): Failed to set ACE for network services (error code %lu)\n", GetLastError());
462 goto Quit;
463 }
464
465 /* Initialize the security descriptor */
467 {
468 ERR("CreateApplicationDesktopSecurity(): Failed to initialize absolute security descriptor (error code %lu)\n", GetLastError());
469 goto Quit;
470 }
471
472 /* Set the DACL to the descriptor */
474 {
475 ERR("CreateApplicationDesktopSecurity(): Failed to set up DACL to absolute security descriptor (error code %lu)\n", GetLastError());
476 goto Quit;
477 }
478
479 /* Conver it to self-relative format */
480 RelativeSd = ConvertToSelfRelative(&AbsoluteSd);
482 {
483 ERR("CreateApplicationDesktopSecurity(): Failed to convert security descriptor to self relative format!\n");
484 goto Quit;
485 }
486
487 /* Give the descriptor to the caller */
488 *ApplicationDesktopSd = RelativeSd;
490
491Quit:
493 {
494 FreeSid(WinlogonSid);
495 }
496
498 {
499 FreeSid(AdminsSid);
500 }
501
502 /* HACK */
504 {
506 }
507 /* END HACK */
508
510 {
512 }
513
515 {
517 {
518 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
519 }
520 }
521
523}
Referenced by CreateWindowStationAndDesktops().
◆ CreateScreenSaverSecurity()
| BOOL CreateScreenSaverSecurity | ( | _Out_ PSECURITY_DESCRIPTOR * | ScreenSaverDesktopSd | ) |
Creates a security descriptor for the screen saver desktop.
- Parameters
-
[out] ScreenSaverDesktopSd A pointer to a created security descriptor for the screen-saver desktop.
- Returns
- Returns TRUE if the function has successfully created the security descriptor, FALSE otherwise.
Definition at line 691 of file security.c.
693{
695 SECURITY_DESCRIPTOR AbsoluteSd;
700
701 /* Create the Winlogon SID */
703 1,
705 0, 0, 0, 0, 0, 0, 0,
706 &WinlogonSid))
707 {
708 ERR("CreateScreenSaverSecurity(): Failed to create the Winlogon SID (error code %lu)\n", GetLastError());
710 }
711
712 /* Create the admins SID */
714 2,
717 0, 0, 0, 0, 0, 0,
718 &AdminsSid))
719 {
720 ERR("CreateScreenSaverSecurity(): Failed to create the admins SID (error code %lu)\n", GetLastError());
721 goto Quit;
722 }
723
724 /* Create the interactive logon SID */
726 1,
728 0, 0, 0, 0, 0, 0, 0,
729 &InteractiveSid))
730 {
731 ERR("CreateScreenSaverSecurity(): Failed to create the interactive SID (error code %lu)\n", GetLastError());
732 goto Quit;
733 }
734
735 /*
736 * Build up the DACL size. This includes a number
737 * of three ACEs of three different SIDs. The first ACE
738 * gives full access to Winlogon, the second one gives
739 * limited desktop access to admins and the last one
740 * gives full desktop access to users who have logged in
741 * interactively.
742 */
747
748 /* Allocate the DACL now */
750 HEAP_ZERO_MEMORY,
751 DaclSize);
753 {
755 goto Quit;
756 }
757
758 /* Initialize it */
760 {
761 ERR("CreateScreenSaverSecurity(): Failed to initialize DACL (error code %lu)\n", GetLastError());
762 goto Quit;
763 }
764
765 /* First ACE -- Give full desktop access to Winlogon */
767 ACL_REVISION,
768 0,
769 DESKTOP_ALL,
770 WinlogonSid))
771 {
772 ERR("CreateScreenSaverSecurity(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
773 goto Quit;
774 }
775
776 /* Second ACE -- Give limited desktop access to admins */
778 ACL_REVISION,
781 AdminsSid))
782 {
783 ERR("CreateScreenSaverSecurity(): Failed to set ACE for admins (error code %lu)\n", GetLastError());
784 goto Quit;
785 }
786
787 /* Third ACE -- Give full desktop access to interactive logon users */
789 ACL_REVISION,
792 InteractiveSid))
793 {
794 ERR("CreateScreenSaverSecurity(): Failed to set ACE for interactive SID (error code %lu)\n", GetLastError());
795 goto Quit;
796 }
797
798 /* Initialize the security descriptor */
800 {
801 ERR("CreateScreenSaverSecurity(): Failed to initialize absolute security descriptor (error code %lu)\n", GetLastError());
802 goto Quit;
803 }
804
805 /* Set the DACL to the descriptor */
807 {
808 ERR("CreateScreenSaverSecurity(): Failed to set up DACL to absolute security descriptor (error code %lu)\n", GetLastError());
809 goto Quit;
810 }
811
812 /* Conver it to self-relative format */
813 RelativeSd = ConvertToSelfRelative(&AbsoluteSd);
815 {
816 ERR("CreateScreenSaverSecurity(): Failed to convert security descriptor to self relative format!\n");
817 goto Quit;
818 }
819
820 /* Give the descriptor to the caller */
821 *ScreenSaverDesktopSd = RelativeSd;
823
824Quit:
826 {
827 FreeSid(WinlogonSid);
828 }
829
831 {
832 FreeSid(AdminsSid);
833 }
834
836 {
838 }
839
841 {
843 }
844
846 {
848 {
849 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
850 }
851 }
852
854}
Referenced by CreateWindowStationAndDesktops().
◆ CreateWinlogonDesktopSecurity()
| BOOL CreateWinlogonDesktopSecurity | ( | _Out_ PSECURITY_DESCRIPTOR * | WinlogonDesktopSd | ) |
Creates a security descriptor for the default Winlogon desktop. This descriptor serves as a security measure for the winlogon desktop so that only Winlogon itself (and admins) can interact with it.
- Parameters
-
[out] WinlogonDesktopSd A pointer to a created security descriptor for the Winlogon desktop.
- Returns
- Returns TRUE if the function has successfully created the security descriptor, FALSE otherwise.
Definition at line 542 of file security.c.
544{
546 SECURITY_DESCRIPTOR AbsoluteSd;
551
552 /* Create the Winlogon SID */
554 1,
556 0, 0, 0, 0, 0, 0, 0,
557 &WinlogonSid))
558 {
559 ERR("CreateWinlogonDesktopSecurity(): Failed to create the Winlogon SID (error code %lu)\n", GetLastError());
561 }
562
563 /* Create the admins SID */
565 2,
568 0, 0, 0, 0, 0, 0,
569 &AdminsSid))
570 {
571 ERR("CreateWinlogonDesktopSecurity(): Failed to create the admins SID (error code %lu)\n", GetLastError());
572 goto Quit;
573 }
574
575 /*
576 * Build up the DACL size. This includes a number
577 * of two ACEs of two different SIDs. The first ACE
578 * gives full access to Winlogon, the last one gives
579 * limited desktop access to admins.
580 */
584
585 /* Allocate the DACL now */
587 HEAP_ZERO_MEMORY,
588 DaclSize);
590 {
592 goto Quit;
593 }
594
595 /* Initialize it */
597 {
598 ERR("CreateWinlogonDesktopSecurity(): Failed to initialize DACL (error code %lu)\n", GetLastError());
599 goto Quit;
600 }
601
602 /* First ACE -- Give full desktop access to Winlogon */
604 ACL_REVISION,
605 0,
606 DESKTOP_ALL,
607 WinlogonSid))
608 {
609 ERR("CreateWinlogonDesktopSecurity(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
610 goto Quit;
611 }
612
613 /* Second ACE -- Give limited desktop access to admins */
615 ACL_REVISION,
616 0,
618 AdminsSid))
619 {
620 ERR("CreateWinlogonDesktopSecurity(): Failed to set ACE for admins (error code %lu)\n", GetLastError());
621 goto Quit;
622 }
623
624 /* Initialize the security descriptor */
626 {
627 ERR("CreateWinlogonDesktopSecurity(): Failed to initialize absolute security descriptor (error code %lu)\n", GetLastError());
628 goto Quit;
629 }
630
631 /* Set the DACL to the descriptor */
633 {
634 ERR("CreateWinlogonDesktopSecurity(): Failed to set up DACL to absolute security descriptor (error code %lu)\n", GetLastError());
635 goto Quit;
636 }
637
638 /* Conver it to self-relative format */
639 RelativeSd = ConvertToSelfRelative(&AbsoluteSd);
641 {
642 ERR("CreateWinlogonDesktopSecurity(): Failed to convert security descriptor to self relative format!\n");
643 goto Quit;
644 }
645
646 /* Give the descriptor to the caller */
647 *WinlogonDesktopSd = RelativeSd;
649
650Quit:
652 {
653 FreeSid(WinlogonSid);
654 }
655
657 {
658 FreeSid(AdminsSid);
659 }
660
662 {
664 }
665
667 {
669 {
670 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
671 }
672 }
673
675}
Referenced by CreateWindowStationAndDesktops().
◆ CreateWinstaSecurity()
| BOOL CreateWinstaSecurity | ( | _Out_ PSECURITY_DESCRIPTOR * | WinstaSd | ) |
Creates a security descriptor for the default window station upon its creation.
- Parameters
-
[out] WinstaSd A pointer to a created security descriptor for the window station.
- Returns
- Returns TRUE if the function has successfully created the security descriptor, FALSE otherwise.
Definition at line 113 of file security.c.
115{
117 SECURITY_DESCRIPTOR AbsoluteSd;
119 PSID WinlogonSid = NULL, AdminsSid = NULL, NetworkServiceSid = NULL; /* NetworkServiceSid is a HACK, see the comment below for information */
122
123 /* Create the Winlogon SID */
125 1,
127 0, 0, 0, 0, 0, 0, 0,
128 &WinlogonSid))
129 {
130 ERR("CreateWinstaSecurity(): Failed to create the Winlogon SID (error code %lu)\n", GetLastError());
132 }
133
134 /* Create the admins SID */
136 2,
139 0, 0, 0, 0, 0, 0,
140 &AdminsSid))
141 {
142 ERR("CreateWinstaSecurity(): Failed to create the admins SID (error code %lu)\n", GetLastError());
143 goto Quit;
144 }
145
146 /* HACK: Create the network service SID */
148 1,
150 0, 0, 0, 0, 0, 0, 0,
151 &NetworkServiceSid))
152 {
153 ERR("CreateWinstaSecurity(): Failed to create the network service SID (error code %lu)\n", GetLastError());
154 goto Quit;
155 }
156
157 /*
158 * Build up the DACL size. This includes a number
159 * of four ACEs of two different SIDs. The first two
160 * ACEs give both window station and generic access
161 * to Winlogon, the last two give limited window station
162 * and desktop access to admins.
163 *
164 * ===================== !!!MUST READ!!! =====================
165 *
166 * HACK -- Include in the DACL two more ACEs for network
167 * service SID. Network services will be granted full
168 * access to the default window station. Whilst technically
169 * services that are either network or local ones are part
170 * and act on behalf of the system, what we are doing here
171 * is a hack because of two reasons:
172 *
173 * 1) Winlogon does not allow default window station (Winsta0)
174 * access to network services on Windows. As a matter of fact,
175 * network services must access their own service window station
176 * (aka Service-0x0-3e4$) which never gets created. Why it never
177 * gets created is explained on the second point.
178 *
179 * 2) Our LSASS terribly lacks in code that handles special logon
180 * service types, NetworkService and LocalService. For this reason
181 * whenever an access token is created for a network service process
182 * for example, its authentication ID (aka LogonId represented as a LUID)
183 * is a uniquely generated ID by LSASS for this process. This is wrong
184 * on so many levels, partly because a network service is not a regular
185 * service and network services have their own special authentication logon
186 * ID (with its respective LUID as {0x3e4, 0x0}). On top of that, a network
187 * service process must have an impersonation token but for whatever reason
188 * we are creating a primary access token instead.
189 *
190 * FOR ANYONE WHO'S INTERESTED ON FIXING THIS, DO NOT FORGET TO REMOVE THIS
191 * HACK!!!
192 *
193 * =========================== !!!END!!! ================================
194 */
202
203 /* Allocate the DACL now */
205 HEAP_ZERO_MEMORY,
206 DaclSize);
208 {
210 goto Quit;
211 }
212
213 /* Initialize it */
215 {
217 goto Quit;
218 }
219
220 /* First ACE -- give full winsta access to Winlogon */
222 ACL_REVISION,
224 WINSTA_ALL,
225 WinlogonSid))
226 {
227 ERR("CreateWinstaSecurity(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
228 goto Quit;
229 }
230
231 /* Second ACE -- give full generic access to Winlogon */
233 ACL_REVISION,
235 GENERIC_ACCESS,
236 WinlogonSid))
237 {
238 ERR("CreateWinstaSecurity(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
239 goto Quit;
240 }
241
242 /* Third ACE -- give limited winsta access to admins */
244 ACL_REVISION,
247 AdminsSid))
248 {
250 goto Quit;
251 }
252
253 /* Fourth ACE -- give limited desktop access to admins */
255 ACL_REVISION,
258 AdminsSid))
259 {
261 goto Quit;
262 }
263
264 /* HACK: Fifth ACE -- give full access to network services */
266 ACL_REVISION,
268 WINSTA_ALL,
269 NetworkServiceSid))
270 {
271 ERR("CreateWinstaSecurity(): Failed to set ACE for network service (error code %lu)\n", GetLastError());
272 goto Quit;
273 }
274
275 /* HACK: Sixth ACE -- give full generic access to network services */
277 ACL_REVISION,
279 GENERIC_ACCESS,
280 NetworkServiceSid))
281 {
282 ERR("CreateWinstaSecurity(): Failed to set ACE for network service (error code %lu)\n", GetLastError());
283 goto Quit;
284 }
285
286 /* Initialize the security descriptor */
288 {
289 ERR("CreateWinstaSecurity(): Failed to initialize absolute security descriptor (error code %lu)\n", GetLastError());
290 goto Quit;
291 }
292
293 /* Set the DACL to the descriptor */
295 {
296 ERR("CreateWinstaSecurity(): Failed to set up DACL to absolute security descriptor (error code %lu)\n", GetLastError());
297 goto Quit;
298 }
299
300 /* Convert it to self-relative format */
301 RelativeSd = ConvertToSelfRelative(&AbsoluteSd);
303 {
304 ERR("CreateWinstaSecurity(): Failed to convert security descriptor to self relative format!\n");
305 goto Quit;
306 }
307
308 /* Give the descriptor to the caller */
309 *WinstaSd = RelativeSd;
311
312Quit:
314 {
315 FreeSid(WinlogonSid);
316 }
317
319 {
320 FreeSid(AdminsSid);
321 }
322
323 /* HACK */
325 {
327 }
328 /* END HACK */
329
331 {
333 }
334
336 {
338 {
339 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
340 }
341 }
342
344}
Referenced by CreateWindowStationAndDesktops().
Variable Documentation
◆ NtAuthority
|
static |
Definition at line 40 of file security.c.
Referenced by AllowDesktopAccessToUser(), AllowWinstaAccessToUser(), CmpHiveRootSecurityDescriptor(), CreateApplicationDesktopSecurity(), CreateBaseAcls(), CreateDefaultProcessSecurityCommon(), CreateNewDefaultDacl(), CreateNlsDirectorySecurity(), CreatePnpInstallEventSecurity(), CreatePwrProfSemaphoreSecurity(), CreateScreenSaverSecurity(), CreateWinlogonDesktopSecurity(), CreateWinstaSecurity(), GetNtAuthorityDomainSid(), is_process_limited(), IsCallerInteractive(), IsUserAdmin(), LsapCreateAccountSd(), LsapCreatePolicySd(), LsapCreateSecretSd(), LsapCreateTokenSd(), LsapInitSids(), RtlDefaultNpAcl(), SampCreateAccountDomainSD(), SampCreateAliasSD(), SampCreateBuiltinDomainSD(), SampCreateGroupSD(), SampCreateServerSD(), SampCreateUserSD(), ScmCreateSids(), and SmpCreateSecurityDescriptors().
