/// <summary> /// The QuerySecurityObject method is invoked to query security information that is assigned /// to a database object. It returns the security descriptor of the object. /// </summary> /// <param name="handleInput">Contains any object handle </param> /// <param name="securityInfo">Contains security descriptor information </param> /// <param name="securityDescriptor">Out param contains valid or invalid /// security descriptor </param> /// <returns>Returns Success if the method is successful /// Returns AccessDenied if the caller does not have the permissions to perform this operation /// Returns InvalidHandle if the passed in is a valid object handle /// Returns NotSupported if the request is not supported</returns> public ErrorStatus QuerySecurityObject( int handleInput, SecurityInfo securityInfo, out SecurityDescriptor securityDescriptor) { System.IntPtr?objInvalidAccountHandle = IntPtr.Zero; uintSecurityInfo = Convert.ToByte(LsadUtilities.QuerySecurityInfo); objAccountSid[0].Revision = 0x01; _LSAPR_SR_SECURITY_DESCRIPTOR?secDescriptor = new _LSAPR_SR_SECURITY_DESCRIPTOR(); ////Passing Trusteddomain object for STATUS_NOT_SUPPORTED status. if ((htAccHandle.Count == 0) && (checkTrustHandle == true)) { objAccountHandle = validTrustHandle; } else if ((htAccHandle.Count == 0) && (checkTrustHandle == false)) { #region Passing InvalidHandle uintDesrAccess = ACCESS_MASK.MAXIMUM_ALLOWED; uintMethodStatus = lsadClientStack.LsarOpenAccount( objPolicyHandle.Value, objAccountSid[0], uintDesrAccess, out objInvalidAccountHandle); if (uintMethodStatus != 0) { uintMethodStatus = lsadClientStack.LsarCreateAccount( objPolicyHandle.Value, objAccountSid[0], uintDesrAccess, out objAccountHandle); } uintMethodStatus = lsadClientStack.LsarOpenAccount( objPolicyHandle.Value, objAccountSid[0], uintDesrAccess, out objInvalidAccountHandle); uintMethodStatus = lsadClientStack.LsarDeleteObject(ref objAccountHandle); #endregion Passing InvalidHandle objAccountHandle = objInvalidAccountHandle; } uintMethodStatus = lsadClientStack.LsarQuerySecurityObject( objAccountHandle.Value, (SECURITY_INFORMATION)uintSecurityInfo, out secDescriptor); securityDescriptor = (null == secDescriptor) ? SecurityDescriptor.Invalid : SecurityDescriptor.Valid; if ((htAccHandle.Count == 0) && (checkTrustHandle == true)) { #region MS-LSAD_R829 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.NotSupported, (uint)uintMethodStatus, "MS-LSAD", 829, @"It is valid for the server to not support LsarQuerySecurityObject method for all object types. If an object does not support the LsarQuerySecurityObject method, the server MUST return STATUS_NOT_SUPPORTED."); #endregion #region MS-LSAD_R830 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.NotSupported, (uint)uintMethodStatus, "MS-LSAD", 830, @"The server will not return the security descriptor of objects that it stores in Active Directory. It will return the security descriptor of objects in its local policy only. The objects stored in Active Directory include Global Secrets and trusted domain objects in Windows 2000 and Windows Server 2003 R2. For objects that fall into this category, the server will return the STATUS_NOT_SUPPORTED status code on receipt of LsarQuerySecurityObject method."); #endregion } else if ((htAccHandle.Count == 0) && (checkTrustHandle == false)) { #region MS-LSAD_R826 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.InvalidHandle, (uint)uintMethodStatus, "MS-LSAD", 826, @"If the handle of Opnum LsarQuerySecurityObject is not a valid context handle to an object, the server MUST return STATUS_INVALID_HANDLE. "); #endregion } else if ((securityInfo != SecurityInfo.SACLSecurityInformation) && ((uintOpenAccAccess & ACCESS_MASK.READ_CONTROL) != ACCESS_MASK.READ_CONTROL)) { #region MS-LSAD_R825 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.AccessDenied, (uint)uintMethodStatus, "MS-LSAD", 825, @"SecurityDescriptor of LsarQuerySecurityObject MUST return STATUS_ACCESS_DENIED if the caller does not have the permissions to perform the operation."); #endregion } else { #region MS-LSAD_R824 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.Success, (uint)uintMethodStatus, "MS-LSAD", 824, @"SecurityDescriptor of LsarQuerySecurityObject return Values that an implementation MUST return STATUS_SUCCESS if the request was successfully completed."); #endregion } return((ErrorStatus)uintMethodStatus); }
/// <summary> /// The SetSecurityObject method is invoked to set a security descriptor on an object. /// </summary> /// <param name="handleInput">Contains any object handle </param> /// <param name="securityInfo">Contains security descriptor information type</param> /// <param name="securityDescriptor">Contains security descriptor to be set</param> /// <returns>Returns Success if the method is successful /// Returns AccessDenied if the caller does not have the permissions to perform this operation /// Returns InvalidHandle if the passed in is a valid object handle /// Returns NotSupported if the request is not supported for this object /// Returns InvalidParameter if the parameters passed to the method are not valid /// Returns InvalidSecurityDescr if the supplied security descriptor is invalid</returns> public ErrorStatus SetSecurityObject( int handleInput, SecurityInfo securityInfo, SecurityDescriptor securityDescriptor) { System.IntPtr?objInvalidAccountHandle = IntPtr.Zero; uint writeDacl = 0x000F0FFF; uintMethodStatus = lsadClientStack.LsarOpenPolicy( serverName, objectAttributes, uintAccess, out objPolicyHandle); _LSAPR_SR_SECURITY_DESCRIPTOR secDescriptor = new _LSAPR_SR_SECURITY_DESCRIPTOR(); secDescriptor.SecurityDescriptor = utilities.SecurityDescriptor(); secDescriptor.Length = (uint)secDescriptor.SecurityDescriptor.Length; ////Passing Trusteddomain object for STATUS_NOT_SUPPORTED status. if ((htAccHandle.Count == 0) && (checkTrustHandle == true)) { objAccountHandle = validTrustHandle; } else { if ((htAccHandle.Count == 0) && (checkTrustHandle == false)) { #region Passing InvalidHandle uintDesrAccess = ACCESS_MASK.MAXIMUM_ALLOWED; uintMethodStatus = lsadClientStack.LsarOpenAccount( objPolicyHandle.Value, objAccountSid[0], uintDesrAccess, out objInvalidAccountHandle); if (uintMethodStatus != 0) { uintMethodStatus = lsadClientStack.LsarCreateAccount( objPolicyHandle.Value, objAccountSid[0], uintDesrAccess, out objInvalidAccountHandle); } uintMethodStatus = lsadClientStack.LsarOpenAccount( objPolicyHandle.Value, objAccountSid[0], uintDesrAccess, out objAccountHandle); uintMethodStatus = lsadClientStack.LsarDeleteObject(ref objInvalidAccountHandle); #endregion Passing InvalidHandle } if (securityInfo == SecurityInfo.OwnerSecurityInformation) { if ((uintOpenAccAccess & ACCESS_MASK.WRITE_OWNER) == ACCESS_MASK.WRITE_OWNER) { uintSecurityInfo = 0x00080000; } else { uintSecurityInfo = 0x99999999; } } else if (securityInfo == SecurityInfo.DACLSecurityInformation) { if (((uint)uintOpenAccAccess & writeDacl) == writeDacl) { uintSecurityInfo = 0x00080000; } else { uintSecurityInfo = 0x99999999; } } if (securityDescriptor == SecurityDescriptor.Null) { secDescriptor.SecurityDescriptor = null; secDescriptor.Length = (uint)0; } else if (securityDescriptor == SecurityDescriptor.Invalid) { secDescriptor.SecurityDescriptor[0] = 0x00000000; secDescriptor.Length = (uint)secDescriptor.SecurityDescriptor.Length; } } uintMethodStatus = lsadClientStack.LsarSetSecurityObject( objAccountHandle.Value, (SECURITY_INFORMATION)uintSecurityInfo, secDescriptor); if ((htAccHandle.Count == 0) && (checkTrustHandle == true)) { #region MS-LSAD_R833 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.NotSupported, (uint)uintMethodStatus, "MS-LSAD", 833, @"LsarSetSecurityObject MUST return STATUS_NOT_SUPPORTED if the operation is not supported for this object."); #endregion //Here we are passing TrustedDomainHandle(checkTrustHandle == true) for LsarSetSecurityObject #region MS-LSAD_R838 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.NotSupported, (uint)uintMethodStatus, "MS-LSAD", 838, @"The Windows server will not return the security descriptor of objects it stores in Active Directory. It will return the security descriptor of objects in its local policy only. The objects stored in Active Directory include Global Secrets and trusted domain objects. For objects that fall into this category, a Windows server returns the STATUS_NOT_SUPPORTED status code when it receives a LsarSetSecurityObject request."); #endregion } else if (securityDescriptor == SecurityDescriptor.Null) { #region MS-LSAD_R837 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.InvalidParameter, (uint)uintMethodStatus, "MS-LSAD", 837, @"The server MUST return STATUS_InvalidParameter when one of the parameter of LsarSetSecurityObject supplied is inValid(for instance security descriptor)"); #endregion } else if (securityDescriptor == SecurityDescriptor.Invalid) { #region MS-LSAD_R836 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.InvalidSecurityDescr, (uint)uintMethodStatus, "MS-LSAD", 836, @"If the security descriptor in LsarSetSecurityObject is invalid, the server MUST return the STATUS_INVALID_SECURITY_DESCR status code."); #endregion } else if ((htAccHandle.Count == 0) && (checkTrustHandle == false)) { #region MS-LSAD_R834 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.InvalidHandle, (uint)uintMethodStatus, "MS-LSAD", 834, @"If the ObjectHandle in LsarSetSecurityObject is not a valid context handle to an object, the server MUST return STATUS_INVALID_HANDLE. "); #endregion } else if ((securityInfo == SecurityInfo.OwnerSecurityInformation) && ((uintOpenAccAccess & ACCESS_MASK.WRITE_OWNER) != ACCESS_MASK.WRITE_OWNER)) { #region MS-LSAD_R832 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.AccessDenied, (uint)uintMethodStatus, "MS-LSAD", 832, @"LsarSetSecurityObject MUST return STATUS_ACCESS_DENIED if the caller does not have the permissions to perform this operation"); #endregion } else if ((securityInfo == SecurityInfo.DACLSecurityInformation) && (((uint)uintOpenAccAccess & writeDacl) != writeDacl)) { #region MS-LSAD_R832 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.AccessDenied, (uint)uintMethodStatus, "MS-LSAD", 832, @"LsarSetSecurityObject MUST return STATUS_ACCESS_DENIED if the caller does not have the permissions to perform this operation"); #endregion } else { #region MS-LSAD_R51 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( secDescriptor.Length, (uint)secDescriptor.SecurityDescriptor.Length, "MS-LSAD", 51, @"The SecurityDescriptor field of the LSAPR_SR_SECURITY_DESCRIPTOR structure of the LSAD protocol MUST contain the number of bytes that are specified in the Length field."); #endregion #region MS-LSAD_R52 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( secDescriptor.Length, (uint)secDescriptor.SecurityDescriptor.Length, "MS-LSAD", 52, @"If the Length field of the LSAPR_SR_SECURITY_DESCRIPTOR structure of the LSAD protocol has a value other than 0, the SecurityDescriptor field MUST NOT be NULL."); #endregion #region MS-LSAD_R831 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.Success, (uint)uintMethodStatus, "MS-LSAD", 831, @"LsarSetSecurityObject returns MUST return STATUS_SUCCESS if the request was successfully completed."); #endregion } invalidHandleCheck = false; return((ErrorStatus)uintMethodStatus); }