private void ProcessName() { foreach (string right in Name) { WriteVerbose($"Getting current membership for the privilege/right '{right}'"); IdentityReference[] actualMembers; try { actualMembers = Lsa.EnumerateAccountsWithUserRight(_lsa, right).ToArray(); } catch (ArgumentException e) { WriteError(new ErrorRecord(e, "InvalidPrivilegeRightName", ErrorCategory.InvalidArgument, right)); continue; } if (actualMembers.Length > 0) { WriteVerbose($"Privilege/right '{right}' contains members, removing"); foreach (IdentityReference member in actualMembers) { if (ShouldProcess(member.Value, $"Remove from the rights {right}")) { Lsa.RemoveAccountRights(_lsa, member, new string[] { right }); } } } else { WriteVerbose($"Privilege/right '{right}' has no members, no action required"); } } }
protected override void ProcessRecord() { foreach (string right in Name) { List <SecurityIdentifier> actualMembers; try { actualMembers = Lsa.EnumerateAccountsWithUserRight(_lsa, right); } catch (ArgumentException e) { WriteError(new ErrorRecord(e, "InvalidPrivilegeRightName", ErrorCategory.InvalidArgument, right)); continue; } SecurityIdentifier[] toChange = CalculateChanges(actualMembers); foreach (SecurityIdentifier id in toChange) { if (!_setInfo.ContainsKey(id)) { _setInfo[id] = new List <string>(); } _setInfo[id].Add(right); } } }
static void Main(string[] args) { Console.WriteLine(new Lsa().AccessEnabled); return; Trace.Listeners.Add(new ConsoleTraceListener()); var lsa = new Lsa(); Console.WriteLine("AccessEnabled = " + lsa.AccessEnabled); foreach (var user in lsa.AllowLogonLocally) { Console.Write(user); Console.Write(" = "); try { Console.WriteLine(new SecurityIdentifier(user).Translate(typeof(NTAccount))); } catch (Exception ex) { Console.WriteLine(ex.GetType().Name); } } Console.WriteLine("-end-"); if (args.Length == 0) { lsa.AccessEnabled = true; } else { lsa.AccessEnabled = false; } }
private void Dispose(bool disposing) { if (this._lsaHandle != IntPtr.Zero) { int num = (int)Lsa.LsaDeregisterLogonProcess(this._lsaHandle); this._lsaHandle = IntPtr.Zero; } if (!disposing) { return; } GC.SuppressFinalize((object)this); }
static void SetLogonAsAServicePrivilege(UserAccount userAccount) { if (!userAccount.Domain.Equals("NT AUTHORITY", StringComparison.OrdinalIgnoreCase)) { var privileges = Lsa.GetPrivileges(userAccount.QualifiedName).ToList(); if (!privileges.Contains(LogonPrivileges.LogonAsAService, StringComparer.OrdinalIgnoreCase)) { privileges.Add(LogonPrivileges.LogonAsAService); Lsa.GrantPrivileges(userAccount.QualifiedName, privileges.ToArray()); } } }
public TicketsManager() { WinStatusCodes winStatusCodes1 = Lsa.LsaConnectUntrusted(out this._lsaHandle); if (winStatusCodes1 != WinStatusCodes.STATUS_SUCCESS) { throw new Exception("LsaConnectUntrusted failed with NTSTATUS code: " + (object)winStatusCodes1 + " (0x" + winStatusCodes1.ToString("x8") + ")"); } WinStatusCodes winStatusCodes2 = Lsa.LsaLookupAuthenticationPackage(this._lsaHandle, ref new LsaStringWrapper("Kerberos")._string, out this._kerberosPackageId); if (winStatusCodes2 != WinStatusCodes.STATUS_SUCCESS) { throw new Exception("LsaLookupAuthenticationPackage failed with NTSTATUS code: " + (object)winStatusCodes2 + " (0x" + winStatusCodes2.ToString("x") + ")"); } }
public void ChangeAccountDetails(string serviceAccount, string servicePassword) { var userAccount = UserAccount.ParseAccountName(serviceAccount); if (!(userAccount.IsLocalService() || userAccount.IsLocalService())) { var privileges = Lsa.GetPrivileges(userAccount.QualifiedName).ToList(); if (!privileges.Contains(LogonPrivileges.LogonAsAService, StringComparer.OrdinalIgnoreCase)) { privileges.Add(LogonPrivileges.LogonAsAService); Lsa.GrantPrivileges(userAccount.QualifiedName, privileges.ToArray()); } } var objPath = $"Win32_Service.Name='{ServiceName}'"; using (var win32Service = new ManagementObject(new ManagementPath(objPath))) { var inParams = win32Service.GetMethodParameters("Change"); inParams["StartName"] = ConvertAccountNameToServiceAccount(userAccount.QualifiedName); inParams["StartPassword"] = servicePassword; var outParams = win32Service.InvokeMethod("Change", inParams, null); if (outParams == null) { throw new ManagementException($"Failed to set account credentials service {ServiceName}"); } var wmiReturnCode = Convert.ToInt32(outParams["ReturnValue"]); if (wmiReturnCode != 0) { var message = (wmiReturnCode < Win32ChangeErrorMessages.Length) ? $"Failed to change service credentials on service {ServiceName} - {Win32ChangeErrorMessages[wmiReturnCode]}" : "An unknown error occurred"; if (wmiReturnCode == 22) { message += $"( AccountName {userAccount.QualifiedName} converted to {ConvertAccountNameToServiceAccount(userAccount.QualifiedName)})"; } throw new ManagementException(message); } } }
private void ProcessAccount() { foreach (IdentityReference acct in Account) { WriteVerbose($"Getting current rights for '{acct.Value}'"); string[] rights = Lsa.EnumerateAccountRights(_lsa, acct).ToArray(); if (rights.Length > 0) { WriteVerbose($"Removing all rights for account '{acct.Value}'"); if (ShouldProcess(acct.Value, "Remove all rights")) { Lsa.RemoveAllAccountRights(_lsa, acct); } } else { WriteVerbose($"Account '{acct.Value} does not have any rights, no action required"); } } }
public bool PurgeTicket(Ticket ticket) { byte[] bytes1 = Encoding.Unicode.GetBytes(ticket.ServerName + "\0"); byte[] bytes2 = Encoding.Unicode.GetBytes(ticket.RealmName + "\0"); int cb = 28 + bytes1.Length + bytes2.Length; IntPtr num = Marshal.AllocHGlobal(cb); IntPtr destination1 = new IntPtr(num.ToInt64() + 28L); IntPtr destination2 = new IntPtr(num.ToInt64() + 28L + (long)bytes1.Length); Marshal.Copy(bytes1, 0, destination1, bytes1.Length); Marshal.Copy(bytes2, 0, destination2, bytes2.Length); UNICODE_STRING unicodeString1; unicodeString1.Length = (ushort)(bytes1.Length - 2); unicodeString1.MaximumLength = (ushort)bytes1.Length; unicodeString1.Buffer = destination1; UNICODE_STRING unicodeString2; unicodeString2.Length = (ushort)(bytes2.Length - 2); unicodeString2.MaximumLength = (ushort)bytes2.Length; unicodeString2.Buffer = destination2; KERB_PURGE_TKT_CACHE_REQUEST purgeTktCacheRequest; purgeTktCacheRequest.MessageType = KERB_PROTOCOL_MESSAGE_TYPE.KerbPurgeTicketCacheMessage; purgeTktCacheRequest.ServerName = unicodeString1; purgeTktCacheRequest.RealmName = unicodeString2; purgeTktCacheRequest.LogonId = 0L; Marshal.StructureToPtr((object)purgeTktCacheRequest, num, false); uint ProtocolStatus; WinStatusCodes winStatusCodes = Lsa.LsaPurgeTickets(this._lsaHandle, this._kerberosPackageId, num, (uint)cb, out IntPtr _, out uint _, out ProtocolStatus); Marshal.FreeHGlobal(num); if (winStatusCodes != WinStatusCodes.STATUS_SUCCESS) { throw new Exception("LsaCallAuthenticationPackage (LsaGetTickets) failed with NTSTATUS code: " + (object)winStatusCodes + " (0x" + winStatusCodes.ToString("x8") + ")"); } return(ProtocolStatus == 0U); }
public List <Ticket> GetTickets() { List <Ticket> ticketList = new List <Ticket>(); KERB_QUERY_TKT_CACHE_REQUEST ProtocolSubmitBuffer; ProtocolSubmitBuffer.MessageType = KERB_PROTOCOL_MESSAGE_TYPE.KerbQueryTicketCacheMessage; ProtocolSubmitBuffer.LogonId = 0L; IntPtr ProtocolReturnBuffer; WinStatusCodes tickets = Lsa.LsaGetTickets(this._lsaHandle, this._kerberosPackageId, ref ProtocolSubmitBuffer, 12U, out ProtocolReturnBuffer, out uint _, out uint _); if (tickets != WinStatusCodes.STATUS_SUCCESS) { throw new Exception("LsaCallAuthenticationPackage (LsaGetTickets) failed with NTSTATUS code: " + (object)tickets + " (0x" + tickets.ToString("x8") + ")"); } KERB_QUERY_TKT_CACHE_RESPONSE structure1 = (KERB_QUERY_TKT_CACHE_RESPONSE)Marshal.PtrToStructure(ProtocolReturnBuffer, typeof(KERB_QUERY_TKT_CACHE_RESPONSE)); KERB_TICKET_CACHE_INFO kerbTicketCacheInfo = new KERB_TICKET_CACHE_INFO(); for (int index = 0; (long)index < (long)structure1.CountOfTickets; ++index) { KERB_TICKET_CACHE_INFO structure2 = (KERB_TICKET_CACHE_INFO)Marshal.PtrToStructure(new IntPtr(ProtocolReturnBuffer.ToInt64() + 8L + (long)(index * 48)), typeof(KERB_TICKET_CACHE_INFO)); ticketList.Add(new Ticket() { ServerName = Helper.GetStringFromUNICODE_STRING(structure2.ServerName), RealmName = Helper.GetStringFromUNICODE_STRING(structure2.RealmName), StartTime = Helper.GetDateTimeFromFILETIME(structure2.StartTime), EndTime = Helper.GetDateTimeFromFILETIME(structure2.EndTime), RenewTime = Helper.GetDateTimeFromFILETIME(structure2.RenewTime), EncryptionType = structure2.EncryptionType, TicketFlags = (Ticket.KerbTicketFlags)structure2.TicketFlags }); } if (ProtocolReturnBuffer != IntPtr.Zero) { int num = (int)Lsa.LsaFreeReturnBuffer(ProtocolReturnBuffer); } return(ticketList); }
protected override void BeginProcessing() { WriteVerbose($"Opening handle to LSA with {AccessMask}"); _lsa = Lsa.OpenPolicy(ComputerName, AccessMask); }
protected override void ProcessRecord() { // Will be invalid if it failed to be opened in begin. if (_lsa.IsInvalid) { return; } if (Account == null && Name.Length == 0) { Name = PrivilegeHelper.ALL_PRIVILEGES.Concat(Lsa.ALL_RIGHTS.Keys).ToArray(); } else if (Account != null) { string[] accountRights = Lsa.EnumerateAccountRights(_lsa, Account).ToArray(); if (Name.Length > 0) { accountRights = accountRights.Intersect(Name).ToArray(); } Name = accountRights; } WriteVerbose("Getting details for the following rights: " + String.Join(", ", Name)); foreach (string right in Name) { string description = ""; if (Lsa.ALL_RIGHTS.ContainsKey(right)) { description = Lsa.ALL_RIGHTS[right]; } else if (PrivilegeHelper.CheckPrivilegeName(right)) { description = PrivilegeHelper.GetPrivilegeDisplayName(right); } else { WriteWarning($"Unknown right {right}, cannot get description"); } WriteVerbose($"Enumerating accounts with the privilege/rights '{right}'"); IdentityReference[] rightAccounts; try { rightAccounts = Lsa.EnumerateAccountsWithUserRight(_lsa, right) .Select(i => TranslateIdentity(i, IdentityType)) .ToArray(); } catch (ArgumentException e) { WriteError(new ErrorRecord(e, "InvalidPrivilegeRightName", ErrorCategory.InvalidArgument, right)); continue; } WriteObject(new Right() { Name = right, ComputerName = ComputerName, Description = description, Accounts = rightAccounts, }); } }