private static void ValidateConfig(IChecker assume)
{
if (EncLevel == EncryptionLevel.ENCRYPTION_LEVEL_NONE)
{
assume.IsTrue(
EncMethod == EncryptionMethods.ENCRYPTION_METHOD_NONE,
"When Encryption Level is set to None, the Encryption Method must also set to None."
);
}
if (EncLevel == EncryptionLevel.ENCRYPTION_LEVEL_FIPS)
{
assume.IsTrue(
EncMethod == EncryptionMethods.ENCRYPTION_METHOD_FIPS,
"When Encryption Level is set to FIPS, the Encryption Method must be set to FIPS."
);
}
if (TransportProtocol == EncryptedProtocol.Rdp)
{
assume.IsTrue(
EncLevel != EncryptionLevel.ENCRYPTION_LEVEL_NONE,
"When use standard RDP security, the encryption level must be greater than 'None'."
);
}
else
{
assume.IsTrue(
EncLevel == EncryptionLevel.ENCRYPTION_LEVEL_NONE,
"When use enhanced security protocols (TLS or CredSSP), the encryption level must be set to 'None'."
);
}
}
public void SamrEnumerateDomainsInSamServer_SUCCESS_NonDC()
{
HRESULT hResult;
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword));
_samrProtocolAdapter.SamrBind(
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword,
false,
false);
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrConnect5, Server:{0}, Desired Access: SAM_SERVER_ENUMERATE_DOMAINS.", _samrProtocolAdapter.domainMemberFqdn));
hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5(
_samrProtocolAdapter.domainMemberFqdn,
(uint)SERVER_ACCESS_MASK.SAM_SERVER_ENUMERATE_DOMAINS,
out _serverHandle);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS.");
uint?enumerationContext = 0;
uint countReturned;
_SAMPR_ENUMERATION_BUFFER?enumerationBuffer;
Site.Log.Add(LogEntryKind.TestStep, "SamrEnumerateDomainsInSamServer, PreferedMaximumLength: 1024.");
hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrEnumerateDomainsInSamServer(
_serverHandle,
ref enumerationContext,
out enumerationBuffer,
1024,
out countReturned);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrEnumerateDomainsInSamServer must return STATUS_SUCCESS.");
PtfAssert.AreNotEqual <uint>(0, countReturned, "The CountReturned is not zero.");
PtfAssert.IsNotNull(enumerationBuffer, "EnumerationBuffer is not null.");
PtfAssert.AreEqual <uint>(countReturned, enumerationBuffer.Value.EntriesRead, "Verify the EntriesRead property.");
bool builtInDomainFound = false;
foreach (var entry in enumerationBuffer.Value.Buffer)
{
string name = DtypUtility.ToString(entry.Name);
if (string.Compare(name, "BUILTIN", true) == 0)
{
builtInDomainFound = true;
}
PtfAssert.AreEqual <uint>(0, entry.RelativeId, "[MS-SAMR]3.1.5.2.1 Buffer.Buffer.RelativeId is 0.");
}
PtfAssert.IsTrue(builtInDomainFound,
"Client obtains a listing, without duplicates, of the name attribute of the built-in domain object.");
}
public void SamrQuerySecurityObject_Server_DACL_NonDC()
{
HRESULT hResult;
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword));
_samrProtocolAdapter.SamrBind(
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword,
false,
false);
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrConnect5, Server:{0}, Desired Access: READ_CONTROL.", _samrProtocolAdapter.domainMemberFqdn));
hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5(
_samrProtocolAdapter.domainMemberFqdn,
(uint)COMMON_ACCESS_MASK.READ_CONTROL,
out _serverHandle);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS.");
Site.Log.Add(LogEntryKind.TestStep,
"SamrQuerySecurityObject, SecurityInformation: DACL_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrQuerySecurityObject(
_serverHandle,
SamrQuerySecurityObject_SecurityInformation_Values.DACL_SECURITY_INFORMATION,
out securityDescriptor);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
PtfAssert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
PtfAssert.IsNotNull(sd.Dacl,
"[MS-SAMR] 3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is set, the client requests that the DACL be returned.");
PtfAssert.IsNull(sd.OwnerSid,
"[MS-SAMR] 3.1.5.12.2 The field(OwnerSid) of the security descriptor is not returned and is set to zero.");
PtfAssert.IsNull(sd.GroupSid,
"[MS-SAMR] 3.1.5.12.2 The field(GroupSid) of the security descriptor is not returned and is set to zero.");
PtfAssert.IsNull(sd.Sacl,
"[MS-SAMR] 3.1.5.12.2 The field(SACL) of the security descriptor is not returned and is set to zero.");
Site.Log.Add(LogEntryKind.TestStep,
"Verifies that the DACL returned from the server contains the following ACEs: WorldSid(SAM_SERVER_EXECUTE | SAM_SERVER_READ), AdministratorSid(SAM_SERVER_ALL_ACCESS");
bool worldSidFound = false;
uint worldSidMask = 0;
bool adminSidFound = false;
uint adminSidMask = 0;
foreach (var o in sd.Dacl.Value.Aces)
{
if (!(o is Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE))
{
continue;
}
Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE ace = (Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE)o;
switch (DtypUtility.ToSddlString(ace.Sid))
{
case AdministratorSid:
adminSidFound = true;
adminSidMask = ace.Mask;
break;
case WorldSid:
worldSidFound = true;
worldSidMask = ace.Mask;
break;
}
}
PtfAssert.IsTrue(worldSidFound,
"[MS-SAMR] 3.1.5.12.2 If ObjectHandle.Object refers to the server object, the DACL MUST contain the following ACE. WorldSid");
PtfAssert.AreEqual(SERVER_ACCESS_MASK.SAM_SERVER_EXECUTE | SERVER_ACCESS_MASK.SAM_SERVER_READ, (SERVER_ACCESS_MASK)worldSidMask,
"The access mask of WorldSid is SAM_SERVER_EXECUTE|SAM_SERVER_READ.");
PtfAssert.IsTrue(adminSidFound,
"[MS-SAMR] 3.1.5.12.2 If ObjectHandle.Object refers to the server object, the DACL MUST contain the following ACE. AdministratorSid");
PtfAssert.AreEqual(SERVER_ACCESS_MASK.SAM_SERVER_ALL_ACCESS, (SERVER_ACCESS_MASK)adminSidMask,
"The access mask of AdministratorSid is SAM_SERVER_ALL_ACCESS.");
}
private static void ValidateConfig(IChecker assume)
{
if (EncLevel == EncryptionLevel.ENCRYPTION_LEVEL_NONE)
{
assume.IsTrue(
EncMethod == EncryptionMethods.ENCRYPTION_METHOD_NONE,
"When Encryption Level is set to None, the Encryption Method must also set to None."
);
}
if (EncLevel == EncryptionLevel.ENCRYPTION_LEVEL_FIPS)
{
assume.IsTrue(
EncMethod == EncryptionMethods.ENCRYPTION_METHOD_FIPS,
"When Encryption Level is set to FIPS, the Encryption Method must be set to FIPS."
);
}
if (TransportProtocol == EncryptedProtocol.Rdp)
{
assume.IsTrue(
EncLevel != EncryptionLevel.ENCRYPTION_LEVEL_NONE,
"When use standard RDP security, the encryption level must be greater than 'None'."
);
}
else
{
assume.IsTrue(
EncLevel == EncryptionLevel.ENCRYPTION_LEVEL_NONE,
"When use enhanced security protocols (TLS or CredSSP), the encryption level must be set to 'None'."
);
}
}