Re: Automating DCOM settings
From: John Phillips (jjphillipsREMOVE_at_REMOVEhotmail.com)
Date: 06/25/04
- Next message: Michael Kuyper: "Importing RSA CRT Keys"
- Previous message: Crusty Applesniffer: "Event log access rights on Windows 2003"
- In reply to: John: "Automating DCOM settings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 25 Jun 2004 08:59:10 -0400
Google for DCOMPerm. Some versions are reported to be a tad on the buggy
side, but I've used it in the past, and it works well enough.
--
John Phillips
MVP - Windows SDK
"John" <no@spam.com> wrote in message
news:%23wRIcXkWEHA.3472@TK2MSFTNGP09.phx.gbl...
> I would like to automate the changes that are required for our DCOM
> server using the access-control API. The code will execute during the
> program's installation.
>
> If the user is using peer-to-peer workgroup networking, it is required
> to make settings to the machine DCOM defaults.
>
> DCOM Settings:
> Default Authentication Level: None
> COM Security Default Access Permissions:
> Access permitted to \Everyone
> Access permitted to NT AUTHORITY\INTERACTIVE
> Access permitted to NT AUTHORITY\NETWORK
> Access permitted to NT AUTHORITY\SYSTEM
> COM Security Default Launch Permissions:
> Launch permitted to \Everyone
> Launch permitted to NT AUTHORITY\INTERACTIVE
> Access permitted to NT AUTHORITY\NETWORK
> Launch permitted to NT AUTHORITY\SYSTEM
>
>
> Below I post some code that I thought would be enough to set these
> machine defaults. Unfortunately, although things look good in dcomcnfg
> after running this code, it seems to have permanently corrupted DCOM and
> Windows to the point that the only recovery is to reinstall Windows. Can
> anyone see what is missing?
>
> My concerns are:
> 1) Is it ok to allocate the absolute SD with
> SECURITY_DESCRIPTOR* psdAbsolute =
> (SECURITY_DESCRIPTOR*)malloc(sizeof(SECURITY_DESCRIPTOR));
> before calling InitializeSecurityDescriptor?
>
> 2) Do I need to give the SD more properties, for instance an owner. If
> it needs an owner who/what should it be?
>
> Thanks
>
>
> ASCINST_API void WINAPI
> DoDCOMConfigServerWG(LPCTSTR serverName)
> {
> BOOL test = FALSE; //debug
> /*
> Registry entries
>
> Machine Default AuthenticationLevel=None
> Machine Default LaunchPermission={self-relative security descriptor}
> Machine Default AccessPermission={self-relative security descriptor}
> */
>
> // generate the entries for the ACL to be used for Access and Launch
> permissions
> EXPLICIT_ACCESS ea[4];
> for( int i=0; i<4; i++ )
> {
> ZeroMemory(&ea[i], sizeof(EXPLICIT_ACCESS));
> ea[i].grfAccessPermissions = 1; //COM_RIGHTS_EXECUTE;
> ea[i].grfAccessMode = GRANT_ACCESS;
> ea[i].grfInheritance= SUB_CONTAINERS_AND_OBJECTS_INHERIT;
>
> ea[i].Trustee.pMultipleTrustee = NULL;
> ea[i].Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
>
> switch (i)
> {
> case 0:
> ea[i].Trustee.TrusteeForm = TRUSTEE_IS_NAME;
> ea[i].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
> ea[i].Trustee.ptstrName = _T("EVERYONE");
> break;
> case 1:
> ea[i].Trustee.TrusteeForm = TRUSTEE_IS_NAME;
> ea[i].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
> ea[i].Trustee.ptstrName = _T("SYSTEM");
> break;
> case 2:
> ea[i].Trustee.TrusteeForm = TRUSTEE_IS_NAME;
> ea[i].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
> ea[i].Trustee.ptstrName = _T("NETWORK");
> break;
> case 3:
> ea[i].Trustee.TrusteeForm = TRUSTEE_IS_NAME;
> ea[i].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
> ea[i].Trustee.ptstrName = _T("INTERACTIVE");
> break;
> }
> }
>
> // we need to create a self-relative security descriptor that will be
> stored in the registry.
> // if all goes well setting up the security descriptor, continue with
> the DCOM configuration
> ACL* pACL = NULL;
> SECURITY_DESCRIPTOR* psdAbsolute =
> (SECURITY_DESCRIPTOR*)malloc(sizeof(SECURITY_DESCRIPTOR));
> SECURITY_DESCRIPTOR* psdSelfRelative = NULL;
>
> HKEY key = 0;
> DWORD AuthLevel = 0;
>
> if (SetEntriesInAcl(4, &ea[0], NULL, &pACL) == ERROR_SUCCESS)
> {
> test = IsValidAcl(pACL); //debug
> if( ::InitializeSecurityDescriptor(psdAbsolute,
> SECURITY_DESCRIPTOR_REVISION) )
> {
> test = IsValidSecurityDescriptor(psdAbsolute); //debug
> if( ::SetSecurityDescriptorDacl(psdAbsolute, TRUE, pACL, FALSE) )
> {
> test = IsValidSecurityDescriptor(psdAbsolute); //debug
> DWORD sdSize = 0;
> ::MakeSelfRelativeSD(psdAbsolute, psdSelfRelative, &sdSize);
> psdSelfRelative = (SECURITY_DESCRIPTOR*) malloc(sdSize);
> if( ::MakeSelfRelativeSD(psdAbsolute, psdSelfRelative, &sdSize) )
> {
> test = IsValidSecurityDescriptor(psdSelfRelative); //debug
> // we have now succesfully created a self-relative security
> descriptor which contains our ACL
>
> if( ::RegOpenKeyEx(HKEY_LOCAL_MACHINE,
> _T("Software\\Microsoft\\Ole"), 0,
> KEY_ALL_ACCESS, &key) == ERROR_SUCCESS )
> {
> // set the machine default LaunchPermission
> ::RegSetValueEx(key, _T("DefaultLaunchPermission"), 0,
> REG_BINARY,
> reinterpret_cast<const
BYTE*>(psdSelfRelative),
> GetSecurityDescriptorLength(psdSelfRelative));
>
> // set the machine default AccessPermission
> ::RegSetValueEx(key, _T("DefaultAccessPermission"), 0,
> REG_BINARY,
> reinterpret_cast<const
> BYTE*>(psdSelfRelative),
>
GetSecurityDescriptorLength(psdSelfRelative));
>
> // set the machine default AuthenticationLevel
> DWORD AuthLevel = 1; // None
>
> ::RegSetValueEx(key, _T("LegacyAuthenticationLevel"), 0,
> REG_DWORD,
> reinterpret_cast<const BYTE*>(&AuthLevel),
> sizeof(DWORD));
>
> // close the key
> ::RegCloseKey(key);
> }
> }
> }
> }
> }
>
> // cleanup
> if( pACL )
> LocalFree((HLOCAL) pACL);
> if( psdAbsolute )
> free(psdAbsolute);
> if( psdSelfRelative )
> free(psdSelfRelative);
> }
- Next message: Michael Kuyper: "Importing RSA CRT Keys"
- Previous message: Crusty Applesniffer: "Event log access rights on Windows 2003"
- In reply to: John: "Automating DCOM settings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
