public void SamrQuerySecurityObject_Group_OWNER_SECURITY_INFORMATION_NonDC()
{
ConnectAndOpenDomain_NonDC(_samrProtocolAdapter.domainMemberFqdn, _samrProtocolAdapter.domainMemberFqdn,
out _serverHandle, out _domainHandle, Utilities.MAXIMUM_ALLOWED);
string groupName = testGroupName;
uint relativeId = 0;
try
{
CreateGroup_NonDC(groupName, _serverHandle, _domainHandle, out _groupHandle, out relativeId);
HRESULT result = _samrProtocolAdapter.SamrOpenGroup(_domainHandle, (uint)Common_ACCESS_MASK.READ_CONTROL, relativeId, out _groupHandle);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrOpenGroup succeeded.");
Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject with OWNER_SECURITY_INFORMATION");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
result = _samrProtocolAdapter.SamrQuerySecurityObject(_groupHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, out securityDescriptor);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrQuerySecurityObject returns:{0}.", result);
Site.Assert.IsNotNull(securityDescriptor, "The returned securityDescriptor should not be null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
Site.Assert.IsNotNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is set, the client requests that the Owner member be returned.");
Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned.");
Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned.");
Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
Site.Assert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)sd.OwnerSid), "3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544).");
}
finally
{
HRESULT result = _samrProtocolAdapter.SamrOpenGroup(_domainHandle, (uint)Group_ACCESS_MASK.GROUP_ALL_ACCESS, relativeId, out _groupHandle);
Site.Log.Add(LogEntryKind.TestStep, "SamrOpenGroup: delete the created group.");
result = _samrProtocolAdapter.SamrDeleteGroup(ref _groupHandle);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrDeleteGroup succeeded.");
}
}
/// <summary>
/// Get SDDL form from the _SID.
/// </summary>
/// <returns>The SDDL string built from the _SID.</returns>
public string GetSddlForm()
{
StringBuilder result = new StringBuilder();
string sddl = DtypUtility.ToSddlString(this);
result.AppendFormat(CultureInfo.InvariantCulture, "O:{0}", sddl);
return(result.ToString());
}
public void FolderPermission_AccessDeny_SidNoInclude()
{
_SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name, testConfig.UserName, testConfig.UserPassword);
BaseTestSite.Assert.IsFalse(
AccessShare(),
"User SID ({0}) is not in folder Security Descriptor. User should not be able to access the share.",
DtypUtility.ToSddlString(sid));
}
public void FilePermission_AccessDeny_SidNoInclude()
{
_SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name);
BaseTestSite.Assert.IsFalse(
TryReadFile(),
"User SID ({0}) is not in file Security Descriptor. User should not be able to read the file.",
DtypUtility.ToSddlString(sid));
}
public void FilePermission_AccessDeny_SidNoInclude()
{
_SID sid = sutCommonControlAdapterAccessor.GetUserSid(azUser01Name);
BaseTestSite.Assert.IsFalse(
TryReadFile(),
"User SID ({0}) is not in file Security Descriptor. User should not be able to read the file.",
DtypUtility.ToSddlString(sid));
}
public string GetSddlForm()
{
StringBuilder result = new StringBuilder();
_SID sid = TypeMarshal.ToStruct <_SID>(buffer);
string sddl = DtypUtility.ToSddlString(sid);
result.AppendFormat(CultureInfo.InvariantCulture, "O:{0}", sddl);
return(result.ToString());
}
public void FolderPermission_AccessDeny_UserSidWithoutReadPermission()
{
_SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name, testConfig.UserName, testConfig.UserPassword);
object ace = DtypUtility.CreateAccessAllowedAce(sid, 0, ACE_FLAGS.None);
SetSecurityDescriptorOnShare(ace);
BaseTestSite.Assert.IsFalse(
AccessShare(),
"ACCESS_ALLOWED_ACE with user SID ({0}) without READ permission in folder Security Descriptor. User should not be able to access the share.",
DtypUtility.ToSddlString(sid));
}
public void FolderPermission_AccessDeny_UserSid()
{
_SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name, testConfig.UserName, testConfig.UserPassword);
object ace = DtypUtility.CreateAccessDeniedAce(sid, DtypUtility.ACCESS_MASK_GENERIC_READ, ACE_FLAGS.None);
SetSecurityDescriptorOnShare(ace);
BaseTestSite.Assert.IsFalse(
AccessShare(),
"ACCESS_DENIED_ACE with user SID ({0}) exists in folder Security Descriptor. User should not be able to access the share.",
DtypUtility.ToSddlString(sid));
}
public override string ToString()
{
StringBuilder sb = new StringBuilder();
sb.AppendFormat("Central Access Policy Name: {0}", Name);
sb.AppendFormat(", Id: {0}", DtypUtility.ToSddlString(Id));
for (int i = 0; i < MemberRules.Count; i++)
{
sb.AppendFormat(", Central Access Rule {0}: [{1}]", i, MemberRules[i]);
}
return(sb.ToString());
}
public void FilePermission_AccessDeny_GroupSid()
{
_SID sid = sutCommonControlAdapterAccessor.GetGroupSid(azGroup01Name);
object ace = DtypUtility.CreateAccessDeniedAce(sid, DtypUtility.ACCESS_MASK_GENERIC_READ, ACE_FLAGS.None);
SetSecurityDescriptorOnFile(ace);
BaseTestSite.Assert.IsFalse(
TryReadFile(),
"ACCESS_DENIED_ACE with user's group SID ({0}) exists in file Security Descriptor. User should be not able to read the file.",
DtypUtility.ToSddlString(sid));
}
public void BVT_FilePermission_AccessAllow_UserSid()
{
_SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name, testConfig.UserName, testConfig.UserPassword);
object ace = DtypUtility.CreateAccessAllowedAce(sid, DtypUtility.ACCESS_MASK_GENERIC_READ, ACE_FLAGS.None);
SetSecurityDescriptorOnFile(ace);
BaseTestSite.Assert.IsTrue(
TryReadFile(),
"ACCESS_ALLOWED_ACE with user SID ({0}) exists in file Security Descriptor. User should be able to read the file.",
DtypUtility.ToSddlString(sid));
}
public void FolderPermission_AccessDeny_UserSid()
{
_SID sid = sutCommonControlAdapterAccessor.GetUserSid(azUser01Name);
object ace = DtypUtility.CreateAccessDeniedAce(sid, DtypUtility.ACCESS_MASK_GENERIC_READ, ACE_FLAGS.None);
SetSecurityDescriptorOnShare(ace);
BaseTestSite.Assert.IsFalse(
AccessShare(),
"ACCESS_DENIED_ACE with user SID ({0}) exists in folder Security Descriptor. User should not be able to access the share.",
DtypUtility.ToSddlString(sid));
}
public void FilePermission_AccessDeny_UserSidWithoutReadPermission()
{
_SID sid = sutCommonControlAdapterAccessor.GetUserSid(azUser01Name);
object ace = DtypUtility.CreateAccessAllowedAce(sid, 0, ACE_FLAGS.None); // 0 stands for non access mask flag set
SetSecurityDescriptorOnFile(ace);
BaseTestSite.Assert.IsFalse(
TryReadFile(),
"ACCESS_ALLOWED_ACE with user SID ({0}) without READ permission in folder Security Descriptor. User should not be able to read the file.",
DtypUtility.ToSddlString(sid));
}
public void BVT_FilePermission_AccessAllow_UserSid()
{
_SID sid = sutCommonControlAdapterAccessor.GetUserSid(azUser01Name);
object ace = DtypUtility.CreateAccessAllowedAce(sid, DtypUtility.ACCESS_MASK_GENERIC_READ, ACE_FLAGS.None);
SetSecurityDescriptorOnFile(ace);
BaseTestSite.Assert.IsTrue(
TryReadFile(),
"ACCESS_ALLOWED_ACE with user SID ({0}) exists in file Security Descriptor. User should be able to read the file.",
DtypUtility.ToSddlString(sid));
}
public void FolderPermission_AccessAllow_GroupSid()
{
_SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azGroup01Name, testConfig.UserName, testConfig.UserPassword);
object ace = DtypUtility.CreateAccessAllowedAce(sid, DtypUtility.ACCESS_MASK_GENERIC_READ, ACE_FLAGS.None);
SetSecurityDescriptorOnShare(ace);
BaseTestSite.Assert.IsTrue(
AccessShare(),
"ACCESS_ALLOWED_ACE with user's group SID ({0}) exists in share Security Descriptor. User should be able to access the share.",
DtypUtility.ToSddlString(sid));
}
private void SetSecurityDescriptorOnShare(object ace)
{
_ACL acl = DtypUtility.CreateAcl(true, ace);
_SECURITY_DESCRIPTOR sd = originalSD;
_ACL oriAcl = originalSD.Dacl.Value;
DtypUtility.AddAceToAcl(ref oriAcl, true, ace);
sd.Dacl = oriAcl;
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Set Security Descriptor on the share ({0}): {1}.",
FolderPermissionTestShareUncPath, DtypUtility.ToSddlString(sd));
SetSecurityDescriptor(FolderPermissionTestShareUncPath, null, sd, SET_INFO_Request_AdditionalInformation_Values.DACL_SECURITY_INFORMATION);
}
public void SamrQuerySecurityObject_User_DACL_SECURITY_INFORMATION()
{
ConnectAndOpenUser(_samrProtocolAdapter.PDCNetbiosName, _samrProtocolAdapter.PrimaryDomainDnsName,
_samrProtocolAdapter.DomainAdministratorName, out _userHandle, (uint)Common_ACCESS_MASK.READ_CONTROL);
Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject with DACL_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
HRESULT result = _samrProtocolAdapter.SamrQuerySecurityObject(_userHandle, SecurityInformation.DACL_SECURITY_INFORMATION, out securityDescriptor);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrQuerySecurityObject returns:{0}.", result);
Site.Assert.IsNotNull(securityDescriptor, "The returned securityDescriptor should not be null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned.");
Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned.");
Site.Assert.IsNotNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is set, the client requests that the DACL be returned.");
Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
bool isAdminSidMatched = false;
bool isWorldSidMatched = false;
bool isSelfMatched = false;
foreach (var ace in sd.Dacl.Value.Aces)
{
if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(AdministratorSid, StringComparison.InvariantCultureIgnoreCase))
{
if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)User_ACCESS_MASK.USER_ALL_ACCESS)
{
isAdminSidMatched = true;
}
}
if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(WorldSid, StringComparison.InvariantCultureIgnoreCase))
{
if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(User_ACCESS_MASK.USER_EXECUTE | User_ACCESS_MASK.USER_READ))
{
isWorldSidMatched = true;
}
}
if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(_samrProtocolAdapter.DomainAdministratorSid.Value, StringComparison.InvariantCultureIgnoreCase))
{
if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(User_ACCESS_MASK.USER_WRITE))
{
isSelfMatched = true;
}
}
}
Site.Assert.IsTrue(isAdminSidMatched, "3.1.5.12.2.1 if ObjectHandle.Object refers to a user object that is a member of Domain Admins or Administrators, the DACL MUST contain AdministratorSid:USER_ALL_ACCESS.");
Site.Assert.IsTrue(isWorldSidMatched, "3.1.5.12.2.1 if ObjectHandle.Object refers to a user object that is a member of Domain Admins or Administrators, the DACL MUST contain WorldSid:USER_EXECUTE|USER_READ.");
Site.Assert.IsTrue(isSelfMatched, "3.1.5.12.2.1 if ObjectHandle.Object refers to a user object that is a member of Domain Admins or Administrators, the DACL MUST contain Self:USER_WRITE.");
}
public void SamrQuerySecurityObject_Server_Group_NonDC()
{
HRESULT hResult;
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword));
_samrProtocolAdapter.SamrBind(
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword,
false,
false);
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrConnect5, Server:{0}, Desired Access: READ_CONTROL.", _samrProtocolAdapter.domainMemberFqdn));
hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5(
_samrProtocolAdapter.domainMemberFqdn,
(uint)COMMON_ACCESS_MASK.READ_CONTROL,
out _serverHandle);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS.");
Site.Log.Add(LogEntryKind.TestStep,
"SamrQuerySecurityObject, SecurityInformation: GROUP_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrQuerySecurityObject(
_serverHandle,
SamrQuerySecurityObject_SecurityInformation_Values.GROUP_SECURITY_INFORMATION,
out securityDescriptor);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
PtfAssert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
PtfAssert.IsNotNull(sd.GroupSid,
"[MS-SAMR] 3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is set, the client requests that the Group member be returned.");
PtfAssert.IsNull(sd.OwnerSid,
"[MS-SAMR] 3.1.5.12.2 The field(OwnerSid) of the security descriptor is not returned and is set to zero.");
PtfAssert.IsNull(sd.Sacl,
"[MS-SAMR] 3.1.5.12.2 The field(SACL) of the security descriptor is not returned and is set to zero.");
PtfAssert.IsNull(sd.Dacl,
"[MS-SAMR] 3.1.5.12.2 The field(DACL) of the security descriptor is not returned and is set to zero.");
PtfAssert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)sd.GroupSid),
"[MS-SAMR] 3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544).");
}
/// <summary>
/// Parse an ldap object from byte array to string
/// </summary>
/// <param name="ldapSyntax">The ldap syntax.</param>
/// <param name="buffer">The byte array object.</param>
/// <returns>Result in string format.</returns>
/// <exception cref="System.NotSupportedException">Thrown when the ldapSyntax is not supported.</exception>
public static string Parse(AdtsLdapSyntax ldapSyntax, byte[] buffer)
{
string result;
switch (ldapSyntax)
{
case AdtsLdapSyntax.Boolean:
case AdtsLdapSyntax.Enumeration:
case AdtsLdapSyntax.Integer:
case AdtsLdapSyntax.LargeInteger:
case AdtsLdapSyntax.ObjectForAccessPoint:
case AdtsLdapSyntax.ObjectForDNString:
case AdtsLdapSyntax.ObjectForORName:
case AdtsLdapSyntax.ObjectForDNBinary:
case AdtsLdapSyntax.ObjectForDSDN:
case AdtsLdapSyntax.ObjectForPresentationAddress:
case AdtsLdapSyntax.StringForCase:
case AdtsLdapSyntax.StringForIA5:
case AdtsLdapSyntax.StringForObjectIdentifier:
case AdtsLdapSyntax.StringForPrintable:
case AdtsLdapSyntax.ObjectForReplicaLink:
case AdtsLdapSyntax.StringForOctet:
case AdtsLdapSyntax.StringForNumeric:
case AdtsLdapSyntax.StringForTeletex:
case AdtsLdapSyntax.StringForUnicode:
case AdtsLdapSyntax.StringForUTCTime:
case AdtsLdapSyntax.StringForGeneralizedTime:
result = Encoding.UTF8.GetString(buffer);
break;
case AdtsLdapSyntax.StringForNTSecDesc:
RawSecurityDescriptor ntSecurityDescriptor = new RawSecurityDescriptor(buffer, 0);
result = ntSecurityDescriptor.GetSddlForm(AccessControlSections.All);
break;
case AdtsLdapSyntax.StringForSid:
_SID sid = TypeMarshal.ToStruct <_SID>(buffer);
result = DtypUtility.ToSddlString(sid);
break;
default:
throw new NotSupportedException("The specified syntax is not supported.");
}
return(result);
}
public void SamrSetSecurityObject_Owner_SECURITY_INFORMATION_Domain()
{
HRESULT hResult;
ConnectAndOpenDomain(_samrProtocolAdapter.PDCNetbiosName, _samrProtocolAdapter.PrimaryDomainDnsName,
out _serverHandle, out _domainHandle, (uint)(Common_ACCESS_MASK.WRITE_OWNER | Common_ACCESS_MASK.READ_CONTROL));
CommonSecurityDescriptor commonsd = new CommonSecurityDescriptor(false, true, "O:BGG:BA");
byte[] buffer = new byte[commonsd.BinaryLength];
commonsd.GetBinaryForm(buffer, 0);
_SAMPR_SR_SECURITY_DESCRIPTOR securityDescriptor = new _SAMPR_SR_SECURITY_DESCRIPTOR()
{
SecurityDescriptor = buffer,
Length = (uint)buffer.Length
};
Site.Log.Add(LogEntryKind.TestStep,
"SamrSetSecurityObject, SecurityInformation: OWNER_SECURITY_INFORMATION as Built-in Guests.");
hResult = _samrProtocolAdapter.SamrSetSecurityObject(_domainHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, securityDescriptor);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "If the database object referenced by ObjectHandle.Object is not a user object and the DACL_SECURITY_INFORMATION is not set in SecurityInformation, the server MUST silently ignore the request by aborting processing and returning 0.");
Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject to check again, SecurityInformation: OWNER_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?sd;
hResult = _samrProtocolAdapter.SamrQuerySecurityObject(_domainHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, out sd);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
Site.Assert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");
// Initializing SecurityDescriptor object using the obtained bytes of security descriptor.
CommonSecurityDescriptor ObtainedSecurityDescriptor =
new CommonSecurityDescriptor(false, true, sd.Value.SecurityDescriptor, 0);
Site.Assert.AreEqual("O:BA", ObtainedSecurityDescriptor.GetSddlForm(AccessControlSections.Owner), "Owner should still be the Administrator.");
_SECURITY_DESCRIPTOR secdes = DtypUtility.DecodeSecurityDescriptor(sd.Value.SecurityDescriptor);
Site.Assert.IsNotNull(secdes.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is set, the client requests that the Owner member be returned.");
Site.Assert.IsNull(secdes.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned.");
Site.Assert.IsNull(secdes.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned.");
Site.Assert.IsNull(secdes.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
Site.Assert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)secdes.OwnerSid), "3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544).");
}
public void SamrLookupDomainInSamServer_NonDC()
{
HRESULT hResult;
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword));
_samrProtocolAdapter.SamrBind(
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword,
false,
false);
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrConnect5, Server:{0}, Desired Access: SAM_SERVER_LOOKUP_DOMAIN.", _samrProtocolAdapter.domainMemberFqdn));
hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5(
_samrProtocolAdapter.domainMemberFqdn,
(uint)SERVER_ACCESS_MASK.SAM_SERVER_LOOKUP_DOMAIN,
out _serverHandle);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS.");
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrLookupDomainInSamServer, Name: {0}.", _samrProtocolAdapter.domainMemberNetBIOSName));
_RPC_SID?domainID;
hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrLookupDomainInSamServer(
_serverHandle,
DtypUtility.ToRpcUnicodeString("Builtin"),
out domainID);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrLookupDomainInSamServer must return STATUS_SUCCESS.");
PtfAssert.IsNotNull(domainID, "DomainId is not null.");
string domainSid = DtypUtility.ToSddlString(domainID.Value);
PtfAssert.AreEqual(
"S-1-5-32",
domainSid,
"The objectSid of the builtin domain must be returend.");
}
public void SharePermission_AccessDeny_SidNoInclude()
{
_SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name);
string shareName;
if (dynamicallyConfigurableShareExist)
{
shareName = dynamicallyConfigurableShareName;
}
else
{
shareName = "AzShare05";
}
BaseTestSite.Assert.IsFalse(
AccessShare(shareName),
"User SID ({0}) is not in share Security Descriptor. User should not be able to access the share.",
DtypUtility.ToSddlString(sid));
}
public void SamrQuerySecurityObject_User_GROUP_SECURITY_INFORMATION_NonDC()
{
ConnectAndOpenUser_NonDC(_samrProtocolAdapter.domainMemberFqdn, _samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.DMAdminName, out _userHandle, (uint)Common_ACCESS_MASK.READ_CONTROL);
Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject with GROUP_SECURITY_INFORMATION");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
HRESULT result = _samrProtocolAdapter.SamrQuerySecurityObject(_userHandle, SecurityInformation.GROUP_SECURITY_INFORMATION, out securityDescriptor);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrQuerySecurityObject returns:{0}.", result);
Site.Assert.IsNotNull(securityDescriptor, "The returned securityDescriptor should not be null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned.");
Site.Assert.IsNotNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is set, the client requests that the Group member be returned.");
Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned.");
Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
Site.Assert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)sd.GroupSid), "3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544).");
}
public void SamrQuerySecurityObjectForAlias_OWNER_SECURITY_INFORMATION()
{
aliasTestPrerequisite();
createAlias();
Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject with OWNER_SECURITY_INFORMATION");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
HRESULT result = _samrProtocolAdapter.SamrQuerySecurityObject(_aliasHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, out securityDescriptor);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrQuerySecurityObject returns:{0}.", result);
Site.Assert.IsNotNull(securityDescriptor, "The returned securityDescriptor should not be null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
Site.Assert.IsNotNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is set, the client requests that the Owner member be returned.");
Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned.");
Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned.");
Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
Site.Assert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)sd.OwnerSid), "3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544).");
}
public void SharePermission_AccessAllow_GroupSid()
{
_SID sid = sutCommonControlAdapterAccessor.GetGroupSid(azGroup01Name);
string shareName;
if (dynamicallyConfigurableShareExist)
{
object ace = DtypUtility.CreateAccessAllowedAce(sid, DtypUtility.ACCESS_MASK_STANDARD_RIGHTS_ALL | DtypUtility.ACCESS_MASK_SPECIFIC_RIGHTS_ALL, ACE_FLAGS.None);
SetSecurityDescriptorOnDynamicallyConfigurableShare(ace);
shareName = dynamicallyConfigurableShareName;
}
else
{
shareName = "AzShare02";
}
BaseTestSite.Assert.IsTrue(
AccessShare(shareName),
"ACCESS_ALLOWED_ACE with user's group SID ({0}) exists in share Security Descriptor. User should be able to access the share.",
DtypUtility.ToSddlString(sid));
}
public void SharePermission_AccessDeny_GroupSid()
{
_SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azGroup01Name);
string shareName;
if (dynamicallyConfigurableShareExist)
{
object ace = DtypUtility.CreateAccessDeniedAce(sid, DtypUtility.ACCESS_MASK_STANDARD_RIGHTS_ALL | DtypUtility.ACCESS_MASK_SPECIFIC_RIGHTS_ALL, ACE_FLAGS.None);
SetSecurityDescriptorOnDynamicallyConfigurableShare(ace);
shareName = dynamicallyConfigurableShareName;
}
else
{
shareName = "AzShare04";
}
BaseTestSite.Assert.IsFalse(
AccessShare(shareName),
"ACCESS_DENIED_ACE with user's group SID ({0}) exists in file Security Descriptor. User should be not able to access the share.",
DtypUtility.ToSddlString(sid));
}
public void SharePermission_AccessDeny_UserSidWithoutReadPermission()
{
_SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name);
string shareName;
if (dynamicallyConfigurableShareExist)
{
object ace = DtypUtility.CreateAccessDeniedAce(sid, 0, ACE_FLAGS.None);
SetSecurityDescriptorOnDynamicallyConfigurableShare(ace);
shareName = dynamicallyConfigurableShareName;
}
else
{
shareName = "AzShare06";
}
BaseTestSite.Assert.IsFalse(
AccessShare(shareName),
"ACCESS_ALLOWED_ACE with user SID ({0}) without READ permission in folder Security Descriptor. User should not be able to access the share.",
DtypUtility.ToSddlString(sid));
}
public void SamrQuerySecurityObject_GROUP_SECURITY_INFORMATION_Domain()
{
HRESULT hResult;
ConnectAndOpenDomain(_samrProtocolAdapter.PDCNetbiosName, _samrProtocolAdapter.PrimaryDomainDnsName,
out _serverHandle, out _domainHandle, (uint)Common_ACCESS_MASK.READ_CONTROL);
Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject, SecurityInformation: GROUP_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
hResult = _samrProtocolAdapter.SamrQuerySecurityObject(_domainHandle, SecurityInformation.GROUP_SECURITY_INFORMATION, out securityDescriptor);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
Site.Assert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned.");
Site.Assert.IsNotNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is set, the client requests that the Group member be returned.");
Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned.");
Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
Site.Assert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)sd.GroupSid), "3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544).");
}
public void SamrQuerySecurityObject_Server_DACL_NonDC()
{
HRESULT hResult;
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword));
_samrProtocolAdapter.SamrBind(
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword,
false,
false);
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrConnect5, Server:{0}, Desired Access: READ_CONTROL.", _samrProtocolAdapter.domainMemberFqdn));
hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5(
_samrProtocolAdapter.domainMemberFqdn,
(uint)COMMON_ACCESS_MASK.READ_CONTROL,
out _serverHandle);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS.");
Site.Log.Add(LogEntryKind.TestStep,
"SamrQuerySecurityObject, SecurityInformation: DACL_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrQuerySecurityObject(
_serverHandle,
SamrQuerySecurityObject_SecurityInformation_Values.DACL_SECURITY_INFORMATION,
out securityDescriptor);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
PtfAssert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
PtfAssert.IsNotNull(sd.Dacl,
"[MS-SAMR] 3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is set, the client requests that the DACL be returned.");
PtfAssert.IsNull(sd.OwnerSid,
"[MS-SAMR] 3.1.5.12.2 The field(OwnerSid) of the security descriptor is not returned and is set to zero.");
PtfAssert.IsNull(sd.GroupSid,
"[MS-SAMR] 3.1.5.12.2 The field(GroupSid) of the security descriptor is not returned and is set to zero.");
PtfAssert.IsNull(sd.Sacl,
"[MS-SAMR] 3.1.5.12.2 The field(SACL) of the security descriptor is not returned and is set to zero.");
Site.Log.Add(LogEntryKind.TestStep,
"Verifies that the DACL returned from the server contains the following ACEs: WorldSid(SAM_SERVER_EXECUTE | SAM_SERVER_READ), AdministratorSid(SAM_SERVER_ALL_ACCESS");
bool worldSidFound = false;
uint worldSidMask = 0;
bool adminSidFound = false;
uint adminSidMask = 0;
foreach (var o in sd.Dacl.Value.Aces)
{
if (!(o is Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE))
{
continue;
}
Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE ace = (Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE)o;
switch (DtypUtility.ToSddlString(ace.Sid))
{
case AdministratorSid:
adminSidFound = true;
adminSidMask = ace.Mask;
break;
case WorldSid:
worldSidFound = true;
worldSidMask = ace.Mask;
break;
}
}
PtfAssert.IsTrue(worldSidFound,
"[MS-SAMR] 3.1.5.12.2 If ObjectHandle.Object refers to the server object, the DACL MUST contain the following ACE. WorldSid");
PtfAssert.AreEqual(SERVER_ACCESS_MASK.SAM_SERVER_EXECUTE | SERVER_ACCESS_MASK.SAM_SERVER_READ, (SERVER_ACCESS_MASK)worldSidMask,
"The access mask of WorldSid is SAM_SERVER_EXECUTE|SAM_SERVER_READ.");
PtfAssert.IsTrue(adminSidFound,
"[MS-SAMR] 3.1.5.12.2 If ObjectHandle.Object refers to the server object, the DACL MUST contain the following ACE. AdministratorSid");
PtfAssert.AreEqual(SERVER_ACCESS_MASK.SAM_SERVER_ALL_ACCESS, (SERVER_ACCESS_MASK)adminSidMask,
"The access mask of AdministratorSid is SAM_SERVER_ALL_ACCESS.");
}
public void SamrQuerySecurityObject_Group_DACL_SECURITY_INFORMATION_Domain()
{
HRESULT hResult;
ConnectAndOpenDomain(_samrProtocolAdapter.PDCNetbiosName, _samrProtocolAdapter.PrimaryDomainDnsName,
out _serverHandle, out _domainHandle, (uint)Common_ACCESS_MASK.READ_CONTROL);
Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject, SecurityInformation: GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
hResult = _samrProtocolAdapter.SamrQuerySecurityObject(_domainHandle, SecurityInformation.GROUP_SECURITY_INFORMATION | SecurityInformation.DACL_SECURITY_INFORMATION, out securityDescriptor);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
Site.Assert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned.");
Site.Assert.IsNotNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is set, the client requests that the Group member be returned.");
Site.Assert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)sd.GroupSid), "3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544).");
Site.Assert.IsNotNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is set, the client requests that the DACL be returned.");
Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
bool isAdminSidMatched = false;
bool isWorldSidMatched = false;
bool isAccountOperatorSidMatched = false;
foreach (var ace in sd.Dacl.Value.Aces)
{
if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(AdministratorSid, StringComparison.InvariantCultureIgnoreCase))
{
if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(DOMAIN_ACCESS_MASK.DOMAIN_ALL_ACCESS))
{
isAdminSidMatched = true;
}
else
{
Site.Log.Add(LogEntryKind.Debug, "The AdministratorSid's Access Mask is {0}.", ((_ACCESS_ALLOWED_ACE)ace).Mask);
}
}
if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(WorldSid, StringComparison.InvariantCultureIgnoreCase))
{
if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(DOMAIN_ACCESS_MASK.DOMAIN_ALL_EXECUTE | DOMAIN_ACCESS_MASK.DOMAIN_READ))
{
isWorldSidMatched = true;
}
else
{
Site.Log.Add(LogEntryKind.Debug, "The WorldSid's Access Mask is {0}.", ((_ACCESS_ALLOWED_ACE)ace).Mask);
}
}
if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(AccountOperatorsSid, StringComparison.InvariantCultureIgnoreCase))
{
if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(DOMAIN_ACCESS_MASK.DOMAIN_ALL_EXECUTE
| DOMAIN_ACCESS_MASK.DOMAIN_READ
| DOMAIN_ACCESS_MASK.DOMAIN_CREATE_USER
| DOMAIN_ACCESS_MASK.DOMAIN_CREATE_GROUP
| DOMAIN_ACCESS_MASK.DOMAIN_CREATE_ALIAS))
{
isAccountOperatorSidMatched = true;
}
else
{
Site.Log.Add(LogEntryKind.Debug, "The AccountOperatorSid's Access Mask is {0}.", ((_ACCESS_ALLOWED_ACE)ace).Mask);
}
}
}
Site.Assert.IsTrue(isWorldSidMatched, "3.1.5.12.2.1 If ObjectHandle.Object refers to a domain object, the DACL MUST contain WorldSid:DOMAIN_EXECUTE | DOMAIN_READ.");
Site.Assert.IsTrue(isAdminSidMatched, "3.1.5.12.2.1 If ObjectHandle.Object refers to a domain object, the DACL MUST contain AdministratorSid:DOMAIN_ALL_ACCESS.");
Site.Assert.IsTrue(isAccountOperatorSidMatched,
"3.1.5.12.2.1 If ObjectHandle.Object refers to a domain object, the DACL MUST contain AccountOperatorSid:DOMAIN_EXECUTE | DOMAIN_READ | DOMAIN_CREATE_USER | DOMAIN_CREATE_GROUP | DOMAIN_CREATE_ALIAS.");
}
