Example #1
0
        /// <summary>
        /// Adds a user to the local Administrators group.
        /// </summary>
        /// <param name="userIdentity">
        /// The identity of the user to be added to the Administrators group.
        /// </param>
        /// <param name="expirationTime">
        /// The date and time at which the user's administrator rights should expire.
        /// </param>
        /// <param name="remoteAddress">
        /// The address of the remote host from which a request for administrator rights came, if applicable.
        /// </param>
        public static void AddUser(WindowsIdentity userIdentity, DateTime?expirationTime, string remoteAddress)
        {
            // TODO: Only do this if the user is not a member of the group?

            AdminGroupManipulator adminGroupManipulator = new AdminGroupManipulator();
            bool userIsAuthorized = adminGroupManipulator.UserIsAuthorized(Settings.LocalAllowedEntities, Settings.LocalDeniedEntities);

            if (!string.IsNullOrEmpty(remoteAddress))
            { // Request is from a remote computer. Check the remote authorization list.
                userIsAuthorized &= adminGroupManipulator.UserIsAuthorized(Settings.RemoteAllowedEntities, Settings.RemoteDeniedEntities);
            }

            if (
                (LocalAdminGroup != null) &&
                (userIdentity.User != null) &&
                (userIdentity.Groups != null) &&
                (userIsAuthorized)
                )
            {
                // Save the user's information to the list of users.
                EncryptedSettings encryptedSettings = new EncryptedSettings(EncryptedSettings.SettingsFilePath);
                encryptedSettings.AddUser(userIdentity, expirationTime, remoteAddress);

                AddUserToAdministrators(userIdentity.User);
            }
        }
        /// <summary>
        /// Gets an object representing the local Administrators group.
        /// </summary>

        /*private static GroupPrincipal LocalAdminGroup
         * {
         *  get
         *  {
         *      if (LocalMachineContext == null)
         *      {
         *          ApplicationLog.WriteEvent(Properties.Resources.LocalMachineContextIsNull, EventID.DebugMessage, System.Diagnostics.EventLogEntryType.Error);
         *      }
         *      else
         *      {
         *          if (LocalAdminsGroupSid == null)
         *          {
         *              ApplicationLog.WriteEvent(Properties.Resources.LocalAdminsGroupSIDIsNull, EventID.DebugMessage, System.Diagnostics.EventLogEntryType.Error);
         *          }
         *          else
         *          {
         *              if (localAdminGroup == null)
         *              {
         *                  try
         *                  {
         *                      localAdminGroup = GroupPrincipal.FindByIdentity(LocalMachineContext, IdentityType.Sid, LocalAdminsGroupSid.Value);
         *                  }
         *                  catch (Exception exception)
         *                  {
         *                      ApplicationLog.WriteEvent(string.Format("{0}: {1}", Properties.Resources.Exception, exception.Message), EventID.DebugMessage, System.Diagnostics.EventLogEntryType.Error);
         *                      throw;
         *                  }
         *              }
         *          }
         *      }
         *      return localAdminGroup;
         *  }
         * }*/

        /// <summary>
        /// Adds a user to the local Administrators group.
        /// </summary>
        /// <param name="userIdentity">
        /// The identity of the user to be added to the Administrators group.
        /// </param>
        /// <param name="expirationTime">
        /// The date and time at which the user's administrator rights should expire.
        /// </param>
        /// <param name="remoteAddress">
        /// The address of the remote host from which a request for administrator rights came, if applicable.
        /// </param>
        public static void AddUser(WindowsIdentity userIdentity, DateTime?expirationTime, string remoteAddress)
        {
            // TODO: Only do this if the user is not a member of the group?

#if DEBUG
            ApplicationLog.WriteEvent(string.Format("Calling UserIsAuthorized(3) from AddUser() beginning of function."), EventID.DebugMessage, System.Diagnostics.EventLogEntryType.Information);
#endif

            //AdminGroupManipulator adminGroupManipulator = new AdminGroupManipulator();
            bool userIsAuthorized = AdminGroupManipulator.UserIsAuthorized(userIdentity, Settings.LocalAllowedEntities, Settings.LocalDeniedEntities);

            if (!string.IsNullOrEmpty(remoteAddress))
            { // Request is from a remote computer. Check the remote authorization list.
#if DEBUG
                ApplicationLog.WriteEvent(string.Format("Calling UserIsAuthorized(3) from AddUser() where remote address is not null or empty."), EventID.DebugMessage, System.Diagnostics.EventLogEntryType.Information);
#endif

                userIsAuthorized &= AdminGroupManipulator.UserIsAuthorized(userIdentity, Settings.RemoteAllowedEntities, Settings.RemoteDeniedEntities);
            }

            if (
                (LocalAdminGroupName != null) &&
                (userIdentity.User != null) &&
                (userIdentity.Groups != null) &&
                (userIsAuthorized)
                )
            {
                // Save the user's information to the list of users.
                EncryptedSettings encryptedSettings = new EncryptedSettings(EncryptedSettings.SettingsFilePath);
                encryptedSettings.AddUser(userIdentity, expirationTime, remoteAddress);

                AddUserToAdministrators(userIdentity.User);
            }
        }
Example #3
0
        /// <summary>
        /// Validates that all of the users stored in the on-disk user list
        /// are in the local Adminstrators group if they're supposed to be, and vice-vera.
        /// </summary>
        public static void ValidateAllAddedUsers()
        {
            // Get a list of the users stored in the on-disk list.
            EncryptedSettings encryptedSettings = new EncryptedSettings(EncryptedSettings.SettingsFilePath);

            SecurityIdentifier[] addedUserList = encryptedSettings.AddedUserSIDs;

            // Get a list of the current members of the Administrators group.
            SecurityIdentifier[] localAdminSids = null;
            if ((addedUserList.Length > 0) && (LocalAdminGroup != null))
            {
                localAdminSids = GetLocalGroupMembers(LocalAdminGroup.SamAccountName);
            }

            for (int i = 0; i < addedUserList.Length; i++)
            {
                bool sidFoundInAdminsGroup = false;
                if ((addedUserList[i] != null) && (localAdminSids != null))
                {
                    foreach (SecurityIdentifier sid in localAdminSids)
                    {
                        if (sid == addedUserList[i])
                        {
                            sidFoundInAdminsGroup = true;
                            break;
                        }
                    }

                    AdminGroupManipulator adminGroup = new AdminGroupManipulator();

                    if (sidFoundInAdminsGroup)
                    {  // User's SID was found in the local administrators group.
                        DateTime?expirationTime = encryptedSettings.GetExpirationTime(addedUserList[i]);

                        if (expirationTime.HasValue)
                        {     // The user's rights expire at some point.
                            if (expirationTime.Value > DateTime.Now)
                            { // The user's administrator rights expire in the future.
                              // Nothing to do here, since the user is already in the administrators group.
                            }
                            else
                            { // The user's administrator rights have expired.
                                LocalAdministratorGroup.RemoveUser(addedUserList[i], RemovalReason.Timeout);
                            }
                        }

                        else
                        { // The user's rights never expire.
                            // Get a WindowsIdentity object for the user matching the added user SID.
                            WindowsIdentity sessionIdentity    = null;
                            WindowsIdentity userIdentity       = null;
                            int[]           loggedOnSessionIDs = LsaLogonSessions.LogonSessions.GetLoggedOnUserSessionIds();
                            foreach (int sessionId in loggedOnSessionIDs)
                            {
                                sessionIdentity = LsaLogonSessions.LogonSessions.GetWindowsIdentityForSessionId(sessionId);
                                if ((sessionIdentity != null) && (sessionIdentity.User == addedUserList[i]))
                                {
                                    userIdentity = sessionIdentity;
                                    break;
                                }
                            }

                            if (
                                (Settings.AutomaticAddAllowed != null) &&
                                (Settings.AutomaticAddAllowed.Length > 0) &&
                                (adminGroup.UserIsAuthorized(Settings.AutomaticAddAllowed, Settings.AutomaticAddDenied))
                                )
                            { // The user is an automatically-added user.
                              // Nothing to do here. The user is an automatically-added one, and their rights don't expire.
                            }
                            else
                            { // The user is not an automatically-added user.
                                // Users who are not automatically added should not have non-expiring rights. Remove this user.
                                LocalAdministratorGroup.RemoveUser(addedUserList[i], RemovalReason.Timeout);
                            }
                        }
                    }
                    else
                    { // User's SID was not found in the local administrators group.
                        DateTime?expirationTime = encryptedSettings.GetExpirationTime(addedUserList[i]);

                        if (expirationTime.HasValue)
                        {     // The user's rights expire at some point.
                            if (expirationTime.Value > DateTime.Now)
                            { // The user's administrator rights expire in the future.
                                string accountName = GetAccountNameFromSID(addedUserList[i]);
                                if (Settings.OverrideRemovalByOutsideProcess)
                                {
                                    ApplicationLog.WriteEvent(string.Format(Properties.Resources.UserRemovedByOutsideProcess + " " + Properties.Resources.AddingUserBackToAdministrators, addedUserList[i], string.IsNullOrEmpty(accountName) ? Properties.Resources.UnknownAccount : accountName), EventID.UserRemovedByExternalProcess, System.Diagnostics.EventLogEntryType.Information);
                                    AddUserToAdministrators(addedUserList[i]);
                                }
                                else
                                {
                                    ApplicationLog.WriteEvent(string.Format(Properties.Resources.UserRemovedByOutsideProcess + " " + Properties.Resources.RemovingUserFromList, addedUserList[i], string.IsNullOrEmpty(accountName) ? Properties.Resources.UnknownAccount : accountName), EventID.UserRemovedByExternalProcess, System.Diagnostics.EventLogEntryType.Information);
                                    encryptedSettings.RemoveUser(addedUserList[i]);
                                }
                            }
                            else
                            { // The user's administrator rights have expired.
                              // No need to remove from the administrators group, as we already know the SID
                              // is not present in the group.

                                encryptedSettings.RemoveUser(addedUserList[i]);
                            }
                        }
                        else
                        { // The user's rights never expire.
                            // Get a WindowsIdentity object for the user matching the added user SID.
                            WindowsIdentity sessionIdentity    = null;
                            WindowsIdentity userIdentity       = null;
                            int[]           loggedOnSessionIDs = LsaLogonSessions.LogonSessions.GetLoggedOnUserSessionIds();
                            foreach (int sessionId in loggedOnSessionIDs)
                            {
                                sessionIdentity = LsaLogonSessions.LogonSessions.GetWindowsIdentityForSessionId(sessionId);
                                if ((sessionIdentity != null) && (sessionIdentity.User == addedUserList[i]))
                                {
                                    userIdentity = sessionIdentity;
                                    break;
                                }
                            }

                            if (
                                (Settings.AutomaticAddAllowed != null) &&
                                (Settings.AutomaticAddAllowed.Length > 0) &&
                                (adminGroup.UserIsAuthorized(Settings.AutomaticAddAllowed, Settings.AutomaticAddDenied))
                                )
                            { // The user is an automatically-added user.
                              // The users rights do not expire, but they are an automatically-added user and are missing
                              // from the Administrators group. Add the user back in.

                                AddUserToAdministrators(addedUserList[i]);
                            }
                            else
                            { // The user is not an automatically-added user.
                                // The user is not in the Administrators group now, but they are
                                // listed as having non-expiring rights, even though they are not
                                // automatically added. This should never really happen, but
                                // just in case, we'll remove them from the on-disk user list.
                                encryptedSettings.RemoveUser(addedUserList[i]);
                            }
                        }
                    }
                }
            }
        }
        /// <summary>
        /// Executes when a change event is received from a Terminal Server session.
        /// </summary>
        /// <param name="changeDescription">
        /// Identifies the type of session change and the session to which it applies.
        /// </param>
        protected override void OnSessionChange(SessionChangeDescription changeDescription)
        {
            switch (changeDescription.Reason)
            {
            // The user has logged off from a session, either locally or remotely.
            case SessionChangeReason.SessionLogoff:

                EncryptedSettings encryptedSettings = new EncryptedSettings(EncryptedSettings.SettingsFilePath);
                System.Collections.Generic.List <SecurityIdentifier> sidsToRemove = new System.Collections.Generic.List <SecurityIdentifier>(encryptedSettings.AddedUserSIDs);

                int[] sessionIds = LsaLogonSessions.LogonSessions.GetLoggedOnUserSessionIds();

                // For any user that is still logged on, remove their SID from the list of
                // SIDs to be removed from Administrators. That is, let the users who are still
                // logged on stay in the Administrators group.
                foreach (int id in sessionIds)
                {
                    SecurityIdentifier sid = LsaLogonSessions.LogonSessions.GetSidForSessionId(id);
                    if (sid != null)
                    {
                        if (sidsToRemove.Contains(sid))
                        {
                            sidsToRemove.Remove(sid);
                        }
                    }
                }

                // Process the list of SIDs to be removed from Administrators.
                for (int i = 0; i < sidsToRemove.Count; i++)
                {
                    if (
                        // If the user is not remote.
                        (!(encryptedSettings.ContainsSID(sidsToRemove[i]) && encryptedSettings.IsRemote(sidsToRemove[i])))
                        &&
                        // If admin rights are to be removed on logoff, or the user's rights do not expire.
                        (Settings.RemoveAdminRightsOnLogout || !encryptedSettings.GetExpirationTime(sidsToRemove[i]).HasValue)
                        )
                    {
                        LocalAdministratorGroup.RemoveUser(sidsToRemove[i], RemovalReason.UserLogoff);
                    }
                }

                /*
                 * In theory, this code should remove the user associated with the logoff, but it doesn't work.
                 * SecurityIdentifier sid = LsaLogonSessions.LogonSessions.GetSidForSessionId(changeDescription.SessionId);
                 * if (!(UserList.ContainsSID(sid) && UserList.IsRemote(sid)))
                 * {
                 *  LocalAdministratorGroup.RemoveUser(sid, RemovalReason.UserLogoff);
                 * }
                 */

                break;

            // The user has logged on to a session, either locally or remotely.
            case SessionChangeReason.SessionLogon:

#if DEBUG
                ApplicationLog.WriteEvent(string.Format("In OnSessionChange(), the SessionLogon case. The session logging on is session #{0}.", changeDescription.SessionId), EventID.DebugMessage, System.Diagnostics.EventLogEntryType.Information);
#endif

                WindowsIdentity userIdentity = LsaLogonSessions.LogonSessions.GetWindowsIdentityForSessionId(changeDescription.SessionId);

#if DEBUG
                if (null != userIdentity)
                {
                    ApplicationLog.WriteEvent(string.Format(string.Format("User Identity is \"{0}.\"", userIdentity.Name)), EventID.DebugMessage, System.Diagnostics.EventLogEntryType.Information);
                }
#endif

                if (null != userIdentity)
                {
#if DEBUG
                    ApplicationLog.WriteEvent(string.Format("Calling UserIsAuthorized(3) from Service's OnSessionChange event."), EventID.DebugMessage, System.Diagnostics.EventLogEntryType.Information);
#endif

                    bool userIsAuthorizedForAutoAdd = AdminGroupManipulator.UserIsAuthorized(userIdentity, Settings.AutomaticAddAllowed, Settings.AutomaticAddDenied);

                    /*
                     * NetNamedPipeBinding binding = new NetNamedPipeBinding(NetNamedPipeSecurityMode.Transport);
                     * ChannelFactory<IAdminGroup> namedPipeFactory = new ChannelFactory<IAdminGroup>(binding, Settings.NamedPipeServiceBaseAddress);
                     * IAdminGroup channel = namedPipeFactory.CreateChannel();
                     * bool userIsAuthorizedForAutoAdd = channel.UserIsAuthorized(Settings.AutomaticAddAllowed, Settings.AutomaticAddDenied);
                     * namedPipeFactory.Close();
                     */

                    // If the user is in the automatic add list, then add them to the Administrators group.
                    if (
                        (Settings.AutomaticAddAllowed != null) &&
                        (Settings.AutomaticAddAllowed.Length > 0) &&
                        (userIsAuthorizedForAutoAdd)
                        )
                    {
                        LocalAdministratorGroup.AddUser(userIdentity, null, null);
                    }
                }
                else
                {
                    ApplicationLog.WriteEvent(Properties.Resources.UserIdentifyIsNull, EventID.DebugMessage, System.Diagnostics.EventLogEntryType.Warning);
                }

                break;

                /*
                 * // The user has reconnected or logged on to a remote session.
                 * case SessionChangeReason.RemoteConnect:
                 *  ApplicationLog.WriteInformationEvent(string.Format("Remote connect. Session ID: {0}", changeDescription.SessionId), EventID.SessionChangeEvent);
                 *  break;
                 */

                /*
                 * // The user has disconnected or logged off from a remote session.
                 * case SessionChangeReason.RemoteDisconnect:
                 *  ApplicationLog.WriteInformationEvent(string.Format("Remote disconnect. Session ID: {0}", changeDescription.SessionId), EventID.SessionChangeEvent);
                 *  break;
                 */

                /*
                 * // The user has locked their session.
                 * case SessionChangeReason.SessionLock:
                 *  ApplicationLog.WriteInformationEvent(string.Format("Session lock. Session ID: {0}", changeDescription.SessionId), EventID.SessionChangeEvent);
                 *  break;
                 */

                /*
                 * // The user has unlocked their session.
                 * case SessionChangeReason.SessionUnlock:
                 *  ApplicationLog.WriteInformationEvent(string.Format("Session unlock. Session ID: {0}", changeDescription.SessionId), EventID.SessionChangeEvent);
                 *  break;
                 */
            }

            base.OnSessionChange(changeDescription);
        }