public void TestAcl3()
{
var sid = WindowsIdentity.GetCurrent().User;
SecurityIdentifier wks = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
DiscretionaryAcl dacl1 = new DiscretionaryAcl(false, false, 1);
dacl1.AddAccess(AccessControlType.Allow, sid, 0x200, InheritanceFlags.None, PropagationFlags.None);
CommonSecurityDescriptor csd = new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, sid, sid, null, dacl1);
DiscretionaryAcl dacl2 = new DiscretionaryAcl(false, false, 1);
dacl2.AddAccess(AccessControlType.Allow, wks, 0x400, InheritanceFlags.None, PropagationFlags.None);
CommonSecurityDescriptor csd2 = new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, wks, wks, null, dacl2);
List <GenericSecurityDescriptor> list = new List <GenericSecurityDescriptor>();
list.Add(csd);
list.Add(csd2);
using AuthorizationContext c = new AuthorizationContext(WindowsIdentity.GetCurrent().User);
Assert.IsTrue(c.AccessCheck(csd, 0x200));
Assert.IsTrue(c.AccessCheck(list, 0x400));
Assert.IsTrue(c.AccessCheck(list, 0x600));
Assert.IsFalse(c.AccessCheck(csd, 0x800));
Assert.IsFalse(c.AccessCheck(list, 0x800));
}
public void TestScriptDenyLapsJitGrantLapsHistory()
{
IUser user = directory.GetUser(WindowsIdentity.GetCurrent().User);
IComputer computer = directory.GetComputer(C.DEV_PC1);
var sd = generator.GenerateSecurityDescriptor(user, computer, "AuthZTestDenyLapsJitGrantLapsHistory.ps1", 30);
using AuthorizationContext context = new AuthorizationContext(user.Sid);
Assert.IsFalse(context.AccessCheck(sd, (int)AccessMask.Jit));
Assert.IsFalse(context.AccessCheck(sd, (int)AccessMask.LocalAdminPassword));
Assert.IsTrue(context.AccessCheck(sd, (int)AccessMask.LocalAdminPasswordHistory));
}
public void TestScriptGrantLapsJit()
{
IUser user = directory.GetUser(WindowsIdentity.GetCurrent().User);
var sd = generator.GenerateSecurityDescriptor(user, null, "AuthZTestGrantLapsJit.ps1", 30);
using AuthorizationContext context = new AuthorizationContext(user.Sid);
Assert.IsTrue(context.AccessCheck(sd, (int)AccessMask.Jit));
Assert.IsTrue(context.AccessCheck(sd, (int)AccessMask.Laps));
Assert.IsFalse(context.AccessCheck(sd, (int)AccessMask.LapsHistory));
}
private void CheckCertificatePermissions()
{
this.HasPermission = false;
this.HasNoPermission = false;
this.HasPermissionError = false;
this.PermissionError = null;
if (this.HasNoPrivateKey)
{
return;
}
try
{
var security = this.Model.GetPrivateKeySecurity();
using AuthorizationContext c = new AuthorizationContext(this.serviceSettings.GetServiceAccount());
GenericSecurityDescriptor sd = new RawSecurityDescriptor(security.GetSecurityDescriptorSddlForm(AccessControlSections.All));
this.HasPermission = c.AccessCheck(sd, (int)FileSystemRights.Read);
this.HasNoPermission = !this.HasPermission;
}
catch (Exception ex)
{
this.logger.LogError(EventIDs.UIGenericError, ex, "Could not read private key security for certificate {thumbprint}", this.Model.Thumbprint);
this.HasPermissionError = true;
this.PermissionError = $"Error: {ex.Message}";
}
}
private bool IsMatch(string trustee, string requestor, string domainName, AccessControlType aceType = AccessControlType.Allow)
{
var user = directory.GetUser(requestor);
var p = directory.GetPrincipal(trustee);
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);
dacl.AddAccess(aceType, p.Sid, (int)AccessMask.Jit, InheritanceFlags.None, PropagationFlags.None);
CommonSecurityDescriptor sd = new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), null, null, dacl);
string serverName;
if (domainName == null)
{
serverName = discoveryServices.GetDomainController(discoveryServices.GetDomainNameDns(p.Sid));
}
else
{
serverName = discoveryServices.GetDomainController(domainName);
}
using AuthorizationContext c = new AuthorizationContext(user.Sid, serverName);
return(c.AccessCheck(sd, (int)AccessMask.Jit));
}
public bool HasPermission(X509Certificate2 cert, SecurityIdentifier sid)
{
var security = cert.GetPrivateKeySecurity();
using AuthorizationContext c = new AuthorizationContext(sid);
GenericSecurityDescriptor sd = new RawSecurityDescriptor(security.GetSecurityDescriptorSddlForm(AccessControlSections.All));
return(c.AccessCheck(sd, (int)FileSystemRights.Read));
}
public void TestLapsSecurityDescriptor(AccessMask allowedAccess, AccessMask deniedAccess, bool expectedResult)
{
SecurityIdentifier user = WindowsIdentity.GetCurrent().User;
PowerShellAuthorizationResponse response = this.AccessMaskToPowerShellAuthorizationResponse(allowedAccess, deniedAccess);
var sd = generator.GenerateSecurityDescriptor(user, response);
using AuthorizationContext context = new AuthorizationContext(user);
Assert.AreEqual(expectedResult, context.AccessCheck(sd, (int)AccessMask.LocalAdminPassword));
}
public void TestSd(AccessMask allowedAccess, AccessMask deniedAccess)
{
SecurityIdentifier user = WindowsIdentity.GetCurrent().User;
PowerShellAuthorizationResponse response = this.AccessMaskToPowerShellAuthorizationResponse(allowedAccess, deniedAccess);
var sd = generator.GenerateSecurityDescriptor(user, response);
using AuthorizationContext context = new AuthorizationContext(user);
Assert.AreEqual(response.IsJitAllowed && !response.IsJitDenied, context.AccessCheck(sd, (int)AccessMask.Jit));
Assert.AreEqual(response.IsLocalAdminPasswordAllowed && !response.IsLocalAdminPasswordDenied, context.AccessCheck(sd, (int)AccessMask.LocalAdminPassword));
Assert.AreEqual(response.IsLocalAdminPasswordHistoryAllowed && !response.IsLocalAdminPasswordHistoryDenied, context.AccessCheck(sd, (int)AccessMask.LocalAdminPasswordHistory));
}
private AuthorizationInformation BuildAuthorizationInformation(IUser user, IComputer computer)
{
AuthorizationInformation info = new AuthorizationInformation
{
MatchedComputerTargets = this.GetMatchingTargetsForComputer(computer),
EffectiveAccess = 0,
Computer = computer,
User = user
};
if (info.MatchedComputerTargets.Count == 0)
{
return(info);
}
using AuthorizationContext c = authorizationContextProvider.GetAuthorizationContext(user, computer.Sid);
DiscretionaryAcl masterDacl = new DiscretionaryAcl(false, false, info.MatchedComputerTargets.Count);
int matchedTargetCount = 0;
foreach (var target in info.MatchedComputerTargets)
{
CommonSecurityDescriptor sd;
if (target.AuthorizationMode == AuthorizationMode.PowershellScript)
{
sd = this.powershell.GenerateSecurityDescriptor(user, computer, target.Script, 30);
}
else
{
if (string.IsNullOrWhiteSpace(target.SecurityDescriptor))
{
this.logger.LogTrace($"Ignoring target {target.Id} with empty security descriptor");
continue;
}
sd = new CommonSecurityDescriptor(false, false, new RawSecurityDescriptor(target.SecurityDescriptor));
}
if (sd == null)
{
this.logger.LogTrace($"Ignoring target {target.Id} with null security descriptor");
continue;
}
foreach (var ace in sd.DiscretionaryAcl.OfType <CommonAce>())
{
masterDacl.AddAccess(
(AccessControlType)ace.AceType,
ace.SecurityIdentifier,
ace.AccessMask,
ace.InheritanceFlags,
ace.PropagationFlags);
}
int i = matchedTargetCount;
if (c.AccessCheck(sd, (int)AccessMask.Laps))
{
info.SuccessfulLapsTargets.Add(target);
matchedTargetCount++;
}
if (c.AccessCheck(sd, (int)AccessMask.LapsHistory))
{
info.SuccessfulLapsHistoryTargets.Add(target);
matchedTargetCount++;
}
if (c.AccessCheck(sd, (int)AccessMask.Jit))
{
info.SuccessfulJitTargets.Add(target);
matchedTargetCount++;
}
// If the ACE did not grant any permissions to the user, consider it a failure response
if (i == matchedTargetCount)
{
info.FailedTargets.Add(target);
}
}
if (matchedTargetCount > 0)
{
info.SecurityDescriptor = new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), null, null, masterDacl);
this.logger.LogTrace($"Resultant security descriptor for computer {computer.MsDsPrincipalName}: {info.SecurityDescriptor.GetSddlForm(AccessControlSections.All)}");
info.EffectiveAccess |= c.AccessCheck(info.SecurityDescriptor, (int)AccessMask.Laps) ? AccessMask.Laps : 0;
info.EffectiveAccess |= c.AccessCheck(info.SecurityDescriptor, (int)AccessMask.Jit) ? AccessMask.Jit : 0;
info.EffectiveAccess |= c.AccessCheck(info.SecurityDescriptor, (int)AccessMask.LapsHistory) ? AccessMask.LapsHistory : 0;
}
this.logger.LogTrace($"User {user.MsDsPrincipalName} has effective access of {info.EffectiveAccess} on computer {computer.MsDsPrincipalName}");
return(info);
}
