Example #1
0
        public void SamrQuerySecurityObject_Server_Group_NonDC()
        {
            HRESULT  hResult;
            IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;

            Site.Log.Add(LogEntryKind.TestStep,
                         string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
                                       _samrProtocolAdapter.domainMemberFqdn,
                                       _samrProtocolAdapter.domainMemberNetBIOSName,
                                       _samrProtocolAdapter.DMAdminName,
                                       _samrProtocolAdapter.DMAdminPassword));
            _samrProtocolAdapter.SamrBind(
                _samrProtocolAdapter.domainMemberFqdn,
                _samrProtocolAdapter.domainMemberNetBIOSName,
                _samrProtocolAdapter.DMAdminName,
                _samrProtocolAdapter.DMAdminPassword,
                false,
                false);
            Site.Log.Add(LogEntryKind.TestStep,
                         string.Format("SamrConnect5, Server:{0}, Desired Access: READ_CONTROL.", _samrProtocolAdapter.domainMemberFqdn));
            hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5(
                _samrProtocolAdapter.domainMemberFqdn,
                (uint)COMMON_ACCESS_MASK.READ_CONTROL,
                out _serverHandle);
            PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS.");

            Site.Log.Add(LogEntryKind.TestStep,
                         "SamrQuerySecurityObject, SecurityInformation: GROUP_SECURITY_INFORMATION.");
            _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;

            hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrQuerySecurityObject(
                _serverHandle,
                SamrQuerySecurityObject_SecurityInformation_Values.GROUP_SECURITY_INFORMATION,
                out securityDescriptor);
            PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
            PtfAssert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");
            _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);

            PtfAssert.IsNotNull(sd.GroupSid,
                                "[MS-SAMR] 3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is set, the client requests that the Group member be returned.");
            PtfAssert.IsNull(sd.OwnerSid,
                             "[MS-SAMR] 3.1.5.12.2 The field(OwnerSid) of the security descriptor is not returned and is set to zero.");
            PtfAssert.IsNull(sd.Sacl,
                             "[MS-SAMR] 3.1.5.12.2 The field(SACL) of the security descriptor is not returned and is set to zero.");
            PtfAssert.IsNull(sd.Dacl,
                             "[MS-SAMR] 3.1.5.12.2 The field(DACL) of the security descriptor is not returned and is set to zero.");
            PtfAssert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)sd.GroupSid),
                               "[MS-SAMR] 3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544).");
        }
        public void SamrQuerySecurityObject_Server_SACL()
        {
            HRESULT  hResult;
            IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;

            Site.Log.Add(LogEntryKind.TestStep,
                         string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
                                       _samrProtocolAdapter.pdcNetBIOSName,
                                       _samrProtocolAdapter.primaryDomainFqdn,
                                       _samrProtocolAdapter.DomainAdministratorName,
                                       _samrProtocolAdapter.DomainUserPassword));
            _samrProtocolAdapter.SamrBind(
                _samrProtocolAdapter.pdcNetBIOSName,
                _samrProtocolAdapter.primaryDomainFqdn,
                _samrProtocolAdapter.DomainAdministratorName,
                _samrProtocolAdapter.DomainUserPassword,
                false,
                true);
            Site.Log.Add(LogEntryKind.TestStep,
                         string.Format("SamrConnect5, Server:{0}, Desired Access: ACCESS_SYSTEM_SECURITY.", _samrProtocolAdapter.PDCNetbiosName));
            hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5(
                _samrProtocolAdapter.PDCNetbiosName,
                (uint)COMMON_ACCESS_MASK.ACCESS_SYSTEM_SECURITY,
                out _serverHandle);
            PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS.");

            Site.Log.Add(LogEntryKind.TestStep,
                         "SamrQuerySecurityObject, SecurityInformation: SACL_SECURITY_INFORMATION.");
            _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;

            hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrQuerySecurityObject(
                _serverHandle,
                SamrQuerySecurityObject_SecurityInformation_Values.SACL_SECURITY_INFORMATION,
                out securityDescriptor);
            PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
            PtfAssert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");
            _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);

            PtfAssert.IsNotNull(sd.Sacl,
                                "[MS-SAMR] 3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is set, the client requests that the Sacl be returned.");
            PtfAssert.IsNull(sd.OwnerSid,
                             "[MS-SAMR] 3.1.5.12.2 The field(OwnerSid) of the security descriptor is not returned and is set to zero.");
            PtfAssert.IsNull(sd.GroupSid,
                             "[MS-SAMR] 3.1.5.12.2 The field(GroupSid) of the security descriptor is not returned and is set to zero.");
            PtfAssert.IsNull(sd.Dacl,
                             "[MS-SAMR] 3.1.5.12.2 The field(DACL) of the security descriptor is not returned and is set to zero.");
        }
Example #3
0
        public void SamrQuerySecurityObject_Server_DACL_NonDC()
        {
            HRESULT  hResult;
            IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;

            Site.Log.Add(LogEntryKind.TestStep,
                         string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
                                       _samrProtocolAdapter.domainMemberFqdn,
                                       _samrProtocolAdapter.domainMemberNetBIOSName,
                                       _samrProtocolAdapter.DMAdminName,
                                       _samrProtocolAdapter.DMAdminPassword));
            _samrProtocolAdapter.SamrBind(
                _samrProtocolAdapter.domainMemberFqdn,
                _samrProtocolAdapter.domainMemberNetBIOSName,
                _samrProtocolAdapter.DMAdminName,
                _samrProtocolAdapter.DMAdminPassword,
                false,
                false);
            Site.Log.Add(LogEntryKind.TestStep,
                         string.Format("SamrConnect5, Server:{0}, Desired Access: READ_CONTROL.", _samrProtocolAdapter.domainMemberFqdn));
            hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5(
                _samrProtocolAdapter.domainMemberFqdn,
                (uint)COMMON_ACCESS_MASK.READ_CONTROL,
                out _serverHandle);
            PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS.");

            Site.Log.Add(LogEntryKind.TestStep,
                         "SamrQuerySecurityObject, SecurityInformation: DACL_SECURITY_INFORMATION.");
            _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;

            hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrQuerySecurityObject(
                _serverHandle,
                SamrQuerySecurityObject_SecurityInformation_Values.DACL_SECURITY_INFORMATION,
                out securityDescriptor);
            PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
            PtfAssert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");
            _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);

            PtfAssert.IsNotNull(sd.Dacl,
                                "[MS-SAMR] 3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is set, the client requests that the DACL be returned.");
            PtfAssert.IsNull(sd.OwnerSid,
                             "[MS-SAMR] 3.1.5.12.2 The field(OwnerSid) of the security descriptor is not returned and is set to zero.");
            PtfAssert.IsNull(sd.GroupSid,
                             "[MS-SAMR] 3.1.5.12.2 The field(GroupSid) of the security descriptor is not returned and is set to zero.");
            PtfAssert.IsNull(sd.Sacl,
                             "[MS-SAMR] 3.1.5.12.2 The field(SACL) of the security descriptor is not returned and is set to zero.");

            Site.Log.Add(LogEntryKind.TestStep,
                         "Verifies that the DACL returned from the server contains the following ACEs: WorldSid(SAM_SERVER_EXECUTE | SAM_SERVER_READ), AdministratorSid(SAM_SERVER_ALL_ACCESS");
            bool worldSidFound = false;
            uint worldSidMask  = 0;
            bool adminSidFound = false;
            uint adminSidMask  = 0;

            foreach (var o in sd.Dacl.Value.Aces)
            {
                if (!(o is Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE))
                {
                    continue;
                }
                Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE ace = (Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE)o;
                switch (DtypUtility.ToSddlString(ace.Sid))
                {
                case AdministratorSid:
                    adminSidFound = true;
                    adminSidMask  = ace.Mask;
                    break;

                case WorldSid:
                    worldSidFound = true;
                    worldSidMask  = ace.Mask;
                    break;
                }
            }
            PtfAssert.IsTrue(worldSidFound,
                             "[MS-SAMR] 3.1.5.12.2 If ObjectHandle.Object refers to the server object, the DACL MUST contain the following ACE. WorldSid");
            PtfAssert.AreEqual(SERVER_ACCESS_MASK.SAM_SERVER_EXECUTE | SERVER_ACCESS_MASK.SAM_SERVER_READ, (SERVER_ACCESS_MASK)worldSidMask,
                               "The access mask of WorldSid is SAM_SERVER_EXECUTE|SAM_SERVER_READ.");
            PtfAssert.IsTrue(adminSidFound,
                             "[MS-SAMR] 3.1.5.12.2 If ObjectHandle.Object refers to the server object, the DACL MUST contain the following ACE. AdministratorSid");
            PtfAssert.AreEqual(SERVER_ACCESS_MASK.SAM_SERVER_ALL_ACCESS, (SERVER_ACCESS_MASK)adminSidMask,
                               "The access mask of AdministratorSid is SAM_SERVER_ALL_ACCESS.");
        }