Automating DCOM settings
From: John (no_at_spam.com)
Date: 06/25/04
- Next message: Pieter Philippaerts: "Re: AES (Rijndael) Encryption with CryptoAPI"
- Previous message: Brandon Swamy: "Retrieving Logon Date and Time"
- Next in thread: John Phillips: "Re: Automating DCOM settings"
- Reply: John Phillips: "Re: Automating DCOM settings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 24 Jun 2004 16:49:12 -0700
I would like to automate the changes that are required for our DCOM
server using the access-control API. The code will execute during the
program's installation.
If the user is using peer-to-peer workgroup networking, it is required
to make settings to the machine DCOM defaults.
DCOM Settings:
Default Authentication Level: None
COM Security Default Access Permissions:
Access permitted to \Everyone
Access permitted to NT AUTHORITY\INTERACTIVE
Access permitted to NT AUTHORITY\NETWORK
Access permitted to NT AUTHORITY\SYSTEM
COM Security Default Launch Permissions:
Launch permitted to \Everyone
Launch permitted to NT AUTHORITY\INTERACTIVE
Access permitted to NT AUTHORITY\NETWORK
Launch permitted to NT AUTHORITY\SYSTEM
Below I post some code that I thought would be enough to set these
machine defaults. Unfortunately, although things look good in dcomcnfg
after running this code, it seems to have permanently corrupted DCOM and
Windows to the point that the only recovery is to reinstall Windows. Can
anyone see what is missing?
My concerns are:
1) Is it ok to allocate the absolute SD with
SECURITY_DESCRIPTOR* psdAbsolute =
(SECURITY_DESCRIPTOR*)malloc(sizeof(SECURITY_DESCRIPTOR));
before calling InitializeSecurityDescriptor?
2) Do I need to give the SD more properties, for instance an owner. If
it needs an owner who/what should it be?
Thanks
ASCINST_API void WINAPI
DoDCOMConfigServerWG(LPCTSTR serverName)
{
BOOL test = FALSE; //debug
/*
Registry entries
Machine Default AuthenticationLevel=None
Machine Default LaunchPermission={self-relative security descriptor}
Machine Default AccessPermission={self-relative security descriptor}
*/
// generate the entries for the ACL to be used for Access and Launch
permissions
EXPLICIT_ACCESS ea[4];
for( int i=0; i<4; i++ )
{
ZeroMemory(&ea[i], sizeof(EXPLICIT_ACCESS));
ea[i].grfAccessPermissions = 1; //COM_RIGHTS_EXECUTE;
ea[i].grfAccessMode = GRANT_ACCESS;
ea[i].grfInheritance= SUB_CONTAINERS_AND_OBJECTS_INHERIT;
ea[i].Trustee.pMultipleTrustee = NULL;
ea[i].Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
switch (i)
{
case 0:
ea[i].Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea[i].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[i].Trustee.ptstrName = _T("EVERYONE");
break;
case 1:
ea[i].Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea[i].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[i].Trustee.ptstrName = _T("SYSTEM");
break;
case 2:
ea[i].Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea[i].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[i].Trustee.ptstrName = _T("NETWORK");
break;
case 3:
ea[i].Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea[i].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[i].Trustee.ptstrName = _T("INTERACTIVE");
break;
}
}
// we need to create a self-relative security descriptor that will be
stored in the registry.
// if all goes well setting up the security descriptor, continue with
the DCOM configuration
ACL* pACL = NULL;
SECURITY_DESCRIPTOR* psdAbsolute =
(SECURITY_DESCRIPTOR*)malloc(sizeof(SECURITY_DESCRIPTOR));
SECURITY_DESCRIPTOR* psdSelfRelative = NULL;
HKEY key = 0;
DWORD AuthLevel = 0;
if (SetEntriesInAcl(4, &ea[0], NULL, &pACL) == ERROR_SUCCESS)
{
test = IsValidAcl(pACL); //debug
if( ::InitializeSecurityDescriptor(psdAbsolute,
SECURITY_DESCRIPTOR_REVISION) )
{
test = IsValidSecurityDescriptor(psdAbsolute); //debug
if( ::SetSecurityDescriptorDacl(psdAbsolute, TRUE, pACL, FALSE) )
{
test = IsValidSecurityDescriptor(psdAbsolute); //debug
DWORD sdSize = 0;
::MakeSelfRelativeSD(psdAbsolute, psdSelfRelative, &sdSize);
psdSelfRelative = (SECURITY_DESCRIPTOR*) malloc(sdSize);
if( ::MakeSelfRelativeSD(psdAbsolute, psdSelfRelative, &sdSize) )
{
test = IsValidSecurityDescriptor(psdSelfRelative); //debug
// we have now succesfully created a self-relative security
descriptor which contains our ACL
if( ::RegOpenKeyEx(HKEY_LOCAL_MACHINE,
_T("Software\\Microsoft\\Ole"), 0,
KEY_ALL_ACCESS, &key) == ERROR_SUCCESS )
{
// set the machine default LaunchPermission
::RegSetValueEx(key, _T("DefaultLaunchPermission"), 0,
REG_BINARY,
reinterpret_cast<const BYTE*>(psdSelfRelative),
GetSecurityDescriptorLength(psdSelfRelative));
// set the machine default AccessPermission
::RegSetValueEx(key, _T("DefaultAccessPermission"), 0,
REG_BINARY,
reinterpret_cast<const
BYTE*>(psdSelfRelative),
GetSecurityDescriptorLength(psdSelfRelative));
// set the machine default AuthenticationLevel
DWORD AuthLevel = 1; // None
::RegSetValueEx(key, _T("LegacyAuthenticationLevel"), 0,
REG_DWORD,
reinterpret_cast<const BYTE*>(&AuthLevel),
sizeof(DWORD));
// close the key
::RegCloseKey(key);
}
}
}
}
}
// cleanup
if( pACL )
LocalFree((HLOCAL) pACL);
if( psdAbsolute )
free(psdAbsolute);
if( psdSelfRelative )
free(psdSelfRelative);
}
- Next message: Pieter Philippaerts: "Re: AES (Rijndael) Encryption with CryptoAPI"
- Previous message: Brandon Swamy: "Retrieving Logon Date and Time"
- Next in thread: John Phillips: "Re: Automating DCOM settings"
- Reply: John Phillips: "Re: Automating DCOM settings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
