Exemple #1
0
        private static void ValidateConfig(IChecker assume)
        {
            if (EncLevel == EncryptionLevel.ENCRYPTION_LEVEL_NONE)
            {
                assume.IsTrue(
                    EncMethod == EncryptionMethods.ENCRYPTION_METHOD_NONE,
                    "When Encryption Level is set to None, the Encryption Method must also set to None."
                    );
            }

            if (EncLevel == EncryptionLevel.ENCRYPTION_LEVEL_FIPS)
            {
                assume.IsTrue(
                    EncMethod == EncryptionMethods.ENCRYPTION_METHOD_FIPS,
                    "When Encryption Level is set to FIPS, the Encryption Method must be set to FIPS."
                    );
            }

            if (TransportProtocol == EncryptedProtocol.Rdp)
            {
                assume.IsTrue(
                    EncLevel != EncryptionLevel.ENCRYPTION_LEVEL_NONE,
                    "When use standard RDP security, the encryption level must be greater than 'None'."
                    );
            }
            else
            {
                assume.IsTrue(
                    EncLevel == EncryptionLevel.ENCRYPTION_LEVEL_NONE,
                    "When use enhanced security protocols (TLS or CredSSP), the encryption level must be set to 'None'."
                    );
            }
        }
        public void SamrEnumerateDomainsInSamServer_SUCCESS_NonDC()
        {
            HRESULT  hResult;
            IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;

            Site.Log.Add(LogEntryKind.TestStep,
                         string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
                                       _samrProtocolAdapter.domainMemberFqdn,
                                       _samrProtocolAdapter.domainMemberNetBIOSName,
                                       _samrProtocolAdapter.DMAdminName,
                                       _samrProtocolAdapter.DMAdminPassword));
            _samrProtocolAdapter.SamrBind(
                _samrProtocolAdapter.domainMemberFqdn,
                _samrProtocolAdapter.domainMemberNetBIOSName,
                _samrProtocolAdapter.DMAdminName,
                _samrProtocolAdapter.DMAdminPassword,
                false,
                false);
            Site.Log.Add(LogEntryKind.TestStep,
                         string.Format("SamrConnect5, Server:{0}, Desired Access: SAM_SERVER_ENUMERATE_DOMAINS.", _samrProtocolAdapter.domainMemberFqdn));
            hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5(
                _samrProtocolAdapter.domainMemberFqdn,
                (uint)SERVER_ACCESS_MASK.SAM_SERVER_ENUMERATE_DOMAINS,
                out _serverHandle);
            PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS.");
            uint?enumerationContext = 0;
            uint countReturned;
            _SAMPR_ENUMERATION_BUFFER?enumerationBuffer;

            Site.Log.Add(LogEntryKind.TestStep, "SamrEnumerateDomainsInSamServer, PreferedMaximumLength: 1024.");
            hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrEnumerateDomainsInSamServer(
                _serverHandle,
                ref enumerationContext,
                out enumerationBuffer,
                1024,
                out countReturned);
            PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrEnumerateDomainsInSamServer must return STATUS_SUCCESS.");
            PtfAssert.AreNotEqual <uint>(0, countReturned, "The CountReturned is not zero.");
            PtfAssert.IsNotNull(enumerationBuffer, "EnumerationBuffer is not null.");
            PtfAssert.AreEqual <uint>(countReturned, enumerationBuffer.Value.EntriesRead, "Verify the EntriesRead property.");

            bool builtInDomainFound = false;

            foreach (var entry in enumerationBuffer.Value.Buffer)
            {
                string name = DtypUtility.ToString(entry.Name);
                if (string.Compare(name, "BUILTIN", true) == 0)
                {
                    builtInDomainFound = true;
                }
                PtfAssert.AreEqual <uint>(0, entry.RelativeId, "[MS-SAMR]3.1.5.2.1 Buffer.Buffer.RelativeId is 0.");
            }
            PtfAssert.IsTrue(builtInDomainFound,
                             "Client obtains a listing, without duplicates, of the name attribute of the built-in domain object.");
        }
        public void SamrQuerySecurityObject_Server_DACL_NonDC()
        {
            HRESULT  hResult;
            IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;

            Site.Log.Add(LogEntryKind.TestStep,
                         string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
                                       _samrProtocolAdapter.domainMemberFqdn,
                                       _samrProtocolAdapter.domainMemberNetBIOSName,
                                       _samrProtocolAdapter.DMAdminName,
                                       _samrProtocolAdapter.DMAdminPassword));
            _samrProtocolAdapter.SamrBind(
                _samrProtocolAdapter.domainMemberFqdn,
                _samrProtocolAdapter.domainMemberNetBIOSName,
                _samrProtocolAdapter.DMAdminName,
                _samrProtocolAdapter.DMAdminPassword,
                false,
                false);
            Site.Log.Add(LogEntryKind.TestStep,
                         string.Format("SamrConnect5, Server:{0}, Desired Access: READ_CONTROL.", _samrProtocolAdapter.domainMemberFqdn));
            hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5(
                _samrProtocolAdapter.domainMemberFqdn,
                (uint)COMMON_ACCESS_MASK.READ_CONTROL,
                out _serverHandle);
            PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS.");

            Site.Log.Add(LogEntryKind.TestStep,
                         "SamrQuerySecurityObject, SecurityInformation: DACL_SECURITY_INFORMATION.");
            _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;

            hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrQuerySecurityObject(
                _serverHandle,
                SamrQuerySecurityObject_SecurityInformation_Values.DACL_SECURITY_INFORMATION,
                out securityDescriptor);
            PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
            PtfAssert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");
            _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);

            PtfAssert.IsNotNull(sd.Dacl,
                                "[MS-SAMR] 3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is set, the client requests that the DACL be returned.");
            PtfAssert.IsNull(sd.OwnerSid,
                             "[MS-SAMR] 3.1.5.12.2 The field(OwnerSid) of the security descriptor is not returned and is set to zero.");
            PtfAssert.IsNull(sd.GroupSid,
                             "[MS-SAMR] 3.1.5.12.2 The field(GroupSid) of the security descriptor is not returned and is set to zero.");
            PtfAssert.IsNull(sd.Sacl,
                             "[MS-SAMR] 3.1.5.12.2 The field(SACL) of the security descriptor is not returned and is set to zero.");

            Site.Log.Add(LogEntryKind.TestStep,
                         "Verifies that the DACL returned from the server contains the following ACEs: WorldSid(SAM_SERVER_EXECUTE | SAM_SERVER_READ), AdministratorSid(SAM_SERVER_ALL_ACCESS");
            bool worldSidFound = false;
            uint worldSidMask  = 0;
            bool adminSidFound = false;
            uint adminSidMask  = 0;

            foreach (var o in sd.Dacl.Value.Aces)
            {
                if (!(o is Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE))
                {
                    continue;
                }
                Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE ace = (Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE)o;
                switch (DtypUtility.ToSddlString(ace.Sid))
                {
                case AdministratorSid:
                    adminSidFound = true;
                    adminSidMask  = ace.Mask;
                    break;

                case WorldSid:
                    worldSidFound = true;
                    worldSidMask  = ace.Mask;
                    break;
                }
            }
            PtfAssert.IsTrue(worldSidFound,
                             "[MS-SAMR] 3.1.5.12.2 If ObjectHandle.Object refers to the server object, the DACL MUST contain the following ACE. WorldSid");
            PtfAssert.AreEqual(SERVER_ACCESS_MASK.SAM_SERVER_EXECUTE | SERVER_ACCESS_MASK.SAM_SERVER_READ, (SERVER_ACCESS_MASK)worldSidMask,
                               "The access mask of WorldSid is SAM_SERVER_EXECUTE|SAM_SERVER_READ.");
            PtfAssert.IsTrue(adminSidFound,
                             "[MS-SAMR] 3.1.5.12.2 If ObjectHandle.Object refers to the server object, the DACL MUST contain the following ACE. AdministratorSid");
            PtfAssert.AreEqual(SERVER_ACCESS_MASK.SAM_SERVER_ALL_ACCESS, (SERVER_ACCESS_MASK)adminSidMask,
                               "The access mask of AdministratorSid is SAM_SERVER_ALL_ACCESS.");
        }
        private static void ValidateConfig(IChecker assume)
        {
            if (EncLevel == EncryptionLevel.ENCRYPTION_LEVEL_NONE)
            {
                assume.IsTrue(
                    EncMethod == EncryptionMethods.ENCRYPTION_METHOD_NONE,
                    "When Encryption Level is set to None, the Encryption Method must also set to None."
                    );
            }

            if (EncLevel == EncryptionLevel.ENCRYPTION_LEVEL_FIPS)
            {
                assume.IsTrue(
                    EncMethod == EncryptionMethods.ENCRYPTION_METHOD_FIPS,
                    "When Encryption Level is set to FIPS, the Encryption Method must be set to FIPS."
                    );
            }

            if (TransportProtocol == EncryptedProtocol.Rdp)
            {
                assume.IsTrue(
                    EncLevel != EncryptionLevel.ENCRYPTION_LEVEL_NONE,
                    "When use standard RDP security, the encryption level must be greater than 'None'."
                    );
            }
            else
            {
                assume.IsTrue(
                    EncLevel == EncryptionLevel.ENCRYPTION_LEVEL_NONE,
                    "When use enhanced security protocols (TLS or CredSSP), the encryption level must be set to 'None'."
                    );
            }
        }