Ejemplo n.º 1
0
        protected override void InternalProcessRecord()
        {
            bool          flag          = true;
            StringBuilder stringBuilder = new StringBuilder();
            ADDomain      addomain      = ADForest.GetLocalForest().FindRootDomain(true);

            if (addomain == null)
            {
                flag = false;
                stringBuilder.AppendLine("Failed to read root domain");
            }
            else
            {
                IRootOrganizationRecipientSession session = TestDataCenterDKMAccess.CreateAdSession();
                foreach (Tuple <string, Dictionary <SecurityIdentifier, ActiveDirectoryRights> > tuple in this.ExpectedAccessRights)
                {
                    flag &= TestDataCenterDKMAccess.VerifyDkmObjectPermissions(session, tuple.Item1, addomain.Id.ToDNString(), tuple.Item2, stringBuilder);
                }
            }
            if (flag)
            {
                stringBuilder.Append("DKM has correct ACL settings");
            }
            this.ReportDkmAclStatus(flag, stringBuilder);
        }
Ejemplo n.º 2
0
        private static IEnumerable <ADRawEntry> ReadDkmAdObjects(IRootOrganizationRecipientSession session, string dkmContainerName, string rootDomain, StringBuilder detailStatus)
        {
            string dkmContainerDN = TestDataCenterDKMAccess.CreateDkmContainerDN(dkmContainerName, rootDomain);

            ADRawEntry[]      dkmObjects        = null;
            ADOperationResult adoperationResult = ADNotificationAdapter.TryRunADOperation(delegate()
            {
                dkmObjects = session.Find(new ADObjectId(dkmContainerDN), QueryScope.SubTree, new CustomLdapFilter("(objectClass=contact)"), null, -1, new ADPropertyDefinition[]
                {
                    ADObjectSchema.Name
                });
            });

            if (!adoperationResult.Succeeded)
            {
                detailStatus.AppendFormat("Failed to read DKM objects under DN {0} with exception {1}", dkmContainerDN, (adoperationResult.Exception == null) ? "N/A" : adoperationResult.Exception.Message);
                return(null);
            }
            if (dkmObjects.Length == 0)
            {
                detailStatus.AppendFormat("Failed to find any DKM objects under DN {0}. Examine the ACL settings on DKM objects to ensure the Exchange Servers group is allowed.", dkmContainerDN);
                return(null);
            }
            return(dkmObjects);
        }
Ejemplo n.º 3
0
        private static bool CheckPermissionsOnDkmObjects(IEnumerable <ADRawEntry> dkmObjects, IRootOrganizationRecipientSession session, Dictionary <SecurityIdentifier, ActiveDirectoryRights> expectedAccessRights, StringBuilder detailStatus)
        {
            bool result = true;

            foreach (ADRawEntry adrawEntry in dkmObjects)
            {
                RawSecurityDescriptor   rawSecurityDescriptor;
                ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor(adrawEntry, session, null, out rawSecurityDescriptor);
                if (activeDirectorySecurity == null)
                {
                    result = false;
                    detailStatus.AppendFormat("Failed to read security descriptor for DKM object {0}. Examine the ACL settings on DKM objects.\r\n", adrawEntry.Id.DistinguishedName);
                }
                else
                {
                    AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier));
                    StringBuilder stringBuilder             = new StringBuilder();
                    stringBuilder.AppendLine(string.Format("Object DN: {0}\r\n", adrawEntry.Id.DistinguishedName));
                    bool flag = false;
                    Dictionary <SecurityIdentifier, ActiveDirectoryRights> dictionary = new Dictionary <SecurityIdentifier, ActiveDirectoryRights>();
                    foreach (object obj in accessRules)
                    {
                        ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj;
                        try
                        {
                            if (!expectedAccessRights.ContainsKey((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference))
                            {
                                int num = AuthzAuthorization.CheckGenericPermission((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference, rawSecurityDescriptor, AccessMask.MaximumAllowed);
                                if (num != 0)
                                {
                                    stringBuilder.AppendFormat("Unexpected ACE with Identity: {0}, Rights: {1}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(activeDirectoryAccessRule.IdentityReference.ToString()), (ActiveDirectoryRights)num);
                                    result = false;
                                    flag   = true;
                                }
                            }
                            else
                            {
                                dictionary[(SecurityIdentifier)activeDirectoryAccessRule.IdentityReference] = (ActiveDirectoryRights)AuthzAuthorization.CheckGenericPermission((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference, rawSecurityDescriptor, AccessMask.MaximumAllowed);
                            }
                        }
                        catch (Win32Exception ex)
                        {
                            stringBuilder.AppendFormat("Failed to check ACL for Identity: {0} with Win32Exception {1} and ErrorCode {2}\r\n", TestDataCenterDKMAccess.AccountNameFromSid(activeDirectoryAccessRule.IdentityReference.ToString()), ex.Message, ex.ErrorCode);
                            result = false;
                            flag   = true;
                        }
                    }
                    Dictionary <SecurityIdentifier, ActiveDirectoryRights> dictionary2 = new Dictionary <SecurityIdentifier, ActiveDirectoryRights>(expectedAccessRights);
                    foreach (KeyValuePair <SecurityIdentifier, ActiveDirectoryRights> keyValuePair in dictionary)
                    {
                        if (dictionary2[keyValuePair.Key] != keyValuePair.Value)
                        {
                            stringBuilder.AppendFormat("Wrong rights in ACE for Identity {0}\r\nExpected Rights: {1}\r\nActual Rights: {2}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(keyValuePair.Key.ToString()), dictionary2[keyValuePair.Key], keyValuePair.Value);
                            result = false;
                            flag   = true;
                        }
                        dictionary2.Remove(keyValuePair.Key);
                    }
                    if (dictionary2.Count > 0)
                    {
                        foreach (KeyValuePair <SecurityIdentifier, ActiveDirectoryRights> keyValuePair2 in dictionary2)
                        {
                            stringBuilder.AppendFormat("Missing expected ACE for Identity {0}\r\nExpected Rights: {1}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(keyValuePair2.Key.ToString()), keyValuePair2.Value);
                            result = false;
                            flag   = true;
                        }
                    }
                    if (flag)
                    {
                        detailStatus.AppendLine(stringBuilder.ToString());
                    }
                }
            }
            return(result);
        }
Ejemplo n.º 4
0
        private static bool VerifyDkmObjectPermissions(IRootOrganizationRecipientSession session, string dkmContainerName, string rootDomain, Dictionary <SecurityIdentifier, ActiveDirectoryRights> expectedRights, StringBuilder detailStatus)
        {
            IEnumerable <ADRawEntry> enumerable = TestDataCenterDKMAccess.ReadDkmAdObjects(session, dkmContainerName, rootDomain, detailStatus);

            return(enumerable != null && TestDataCenterDKMAccess.CheckPermissionsOnDkmObjects(enumerable, session, expectedRights, detailStatus));
        }