/// <summary>
/// The QuerySecurityObject method is invoked to query security information that is assigned
/// to a database object. It returns the security descriptor of the object.
/// </summary>
/// <param name="handleInput">Contains any object handle </param>
/// <param name="securityInfo">Contains security descriptor information </param>
/// <param name="securityDescriptor">Out param contains valid or invalid
/// security descriptor </param>
/// <returns>Returns Success if the method is successful
/// Returns AccessDenied if the caller does not have the permissions to perform this operation
/// Returns InvalidHandle if the passed in is a valid object handle
/// Returns NotSupported if the request is not supported</returns>
public ErrorStatus QuerySecurityObject(
int handleInput,
SecurityInfo securityInfo,
out SecurityDescriptor securityDescriptor)
{
System.IntPtr?objInvalidAccountHandle = IntPtr.Zero;
uintSecurityInfo = Convert.ToByte(LsadUtilities.QuerySecurityInfo);
objAccountSid[0].Revision = 0x01;
_LSAPR_SR_SECURITY_DESCRIPTOR?secDescriptor = new _LSAPR_SR_SECURITY_DESCRIPTOR();
////Passing Trusteddomain object for STATUS_NOT_SUPPORTED status.
if ((htAccHandle.Count == 0) && (checkTrustHandle == true))
{
objAccountHandle = validTrustHandle;
}
else if ((htAccHandle.Count == 0) && (checkTrustHandle == false))
{
#region Passing InvalidHandle
uintDesrAccess = ACCESS_MASK.MAXIMUM_ALLOWED;
uintMethodStatus = lsadClientStack.LsarOpenAccount(
objPolicyHandle.Value,
objAccountSid[0],
uintDesrAccess,
out objInvalidAccountHandle);
if (uintMethodStatus != 0)
{
uintMethodStatus = lsadClientStack.LsarCreateAccount(
objPolicyHandle.Value,
objAccountSid[0],
uintDesrAccess,
out objAccountHandle);
}
uintMethodStatus = lsadClientStack.LsarOpenAccount(
objPolicyHandle.Value,
objAccountSid[0],
uintDesrAccess,
out objInvalidAccountHandle);
uintMethodStatus = lsadClientStack.LsarDeleteObject(ref objAccountHandle);
#endregion Passing InvalidHandle
objAccountHandle = objInvalidAccountHandle;
}
uintMethodStatus = lsadClientStack.LsarQuerySecurityObject(
objAccountHandle.Value,
(SECURITY_INFORMATION)uintSecurityInfo,
out secDescriptor);
securityDescriptor = (null == secDescriptor) ? SecurityDescriptor.Invalid : SecurityDescriptor.Valid;
if ((htAccHandle.Count == 0) && (checkTrustHandle == true))
{
#region MS-LSAD_R829
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.NotSupported,
(uint)uintMethodStatus,
"MS-LSAD",
829,
@"It is valid for the server to not support LsarQuerySecurityObject method for all
object types. If an object does not support the LsarQuerySecurityObject method, the
server MUST return STATUS_NOT_SUPPORTED.");
#endregion
#region MS-LSAD_R830
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.NotSupported,
(uint)uintMethodStatus,
"MS-LSAD",
830,
@"The server will not return the security descriptor of objects that it stores in Active Directory.
It will return the security descriptor of objects in its local policy only. The objects stored in
Active Directory include Global Secrets and trusted domain objects in Windows 2000 and Windows
Server 2003 R2. For objects that fall into this category, the server will return the
STATUS_NOT_SUPPORTED status code on receipt of LsarQuerySecurityObject method.");
#endregion
}
else if ((htAccHandle.Count == 0) && (checkTrustHandle == false))
{
#region MS-LSAD_R826
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.InvalidHandle,
(uint)uintMethodStatus,
"MS-LSAD",
826,
@"If the handle of Opnum LsarQuerySecurityObject is not a valid context handle
to an object, the server MUST return STATUS_INVALID_HANDLE. ");
#endregion
}
else if ((securityInfo != SecurityInfo.SACLSecurityInformation) &&
((uintOpenAccAccess & ACCESS_MASK.READ_CONTROL) != ACCESS_MASK.READ_CONTROL))
{
#region MS-LSAD_R825
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.AccessDenied,
(uint)uintMethodStatus,
"MS-LSAD",
825,
@"SecurityDescriptor of LsarQuerySecurityObject MUST return STATUS_ACCESS_DENIED
if the caller does not have the permissions to perform the operation.");
#endregion
}
else
{
#region MS-LSAD_R824
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.Success,
(uint)uintMethodStatus,
"MS-LSAD",
824,
@"SecurityDescriptor of LsarQuerySecurityObject return Values that an implementation
MUST return STATUS_SUCCESS if the request was successfully completed.");
#endregion
}
return((ErrorStatus)uintMethodStatus);
}
/// <summary>
/// The SetSecurityObject method is invoked to set a security descriptor on an object.
/// </summary>
/// <param name="handleInput">Contains any object handle </param>
/// <param name="securityInfo">Contains security descriptor information type</param>
/// <param name="securityDescriptor">Contains security descriptor to be set</param>
/// <returns>Returns Success if the method is successful
/// Returns AccessDenied if the caller does not have the permissions to perform this operation
/// Returns InvalidHandle if the passed in is a valid object handle
/// Returns NotSupported if the request is not supported for this object
/// Returns InvalidParameter if the parameters passed to the method are not valid
/// Returns InvalidSecurityDescr if the supplied security descriptor is invalid</returns>
public ErrorStatus SetSecurityObject(
int handleInput,
SecurityInfo securityInfo,
SecurityDescriptor securityDescriptor)
{
System.IntPtr?objInvalidAccountHandle = IntPtr.Zero;
uint writeDacl = 0x000F0FFF;
uintMethodStatus = lsadClientStack.LsarOpenPolicy(
serverName,
objectAttributes,
uintAccess,
out objPolicyHandle);
_LSAPR_SR_SECURITY_DESCRIPTOR secDescriptor = new _LSAPR_SR_SECURITY_DESCRIPTOR();
secDescriptor.SecurityDescriptor = utilities.SecurityDescriptor();
secDescriptor.Length = (uint)secDescriptor.SecurityDescriptor.Length;
////Passing Trusteddomain object for STATUS_NOT_SUPPORTED status.
if ((htAccHandle.Count == 0) && (checkTrustHandle == true))
{
objAccountHandle = validTrustHandle;
}
else
{
if ((htAccHandle.Count == 0) && (checkTrustHandle == false))
{
#region Passing InvalidHandle
uintDesrAccess = ACCESS_MASK.MAXIMUM_ALLOWED;
uintMethodStatus = lsadClientStack.LsarOpenAccount(
objPolicyHandle.Value,
objAccountSid[0],
uintDesrAccess,
out objInvalidAccountHandle);
if (uintMethodStatus != 0)
{
uintMethodStatus = lsadClientStack.LsarCreateAccount(
objPolicyHandle.Value,
objAccountSid[0],
uintDesrAccess,
out objInvalidAccountHandle);
}
uintMethodStatus = lsadClientStack.LsarOpenAccount(
objPolicyHandle.Value,
objAccountSid[0],
uintDesrAccess,
out objAccountHandle);
uintMethodStatus = lsadClientStack.LsarDeleteObject(ref objInvalidAccountHandle);
#endregion Passing InvalidHandle
}
if (securityInfo == SecurityInfo.OwnerSecurityInformation)
{
if ((uintOpenAccAccess & ACCESS_MASK.WRITE_OWNER) == ACCESS_MASK.WRITE_OWNER)
{
uintSecurityInfo = 0x00080000;
}
else
{
uintSecurityInfo = 0x99999999;
}
}
else if (securityInfo == SecurityInfo.DACLSecurityInformation)
{
if (((uint)uintOpenAccAccess & writeDacl) == writeDacl)
{
uintSecurityInfo = 0x00080000;
}
else
{
uintSecurityInfo = 0x99999999;
}
}
if (securityDescriptor == SecurityDescriptor.Null)
{
secDescriptor.SecurityDescriptor = null;
secDescriptor.Length = (uint)0;
}
else if (securityDescriptor == SecurityDescriptor.Invalid)
{
secDescriptor.SecurityDescriptor[0] = 0x00000000;
secDescriptor.Length = (uint)secDescriptor.SecurityDescriptor.Length;
}
}
uintMethodStatus = lsadClientStack.LsarSetSecurityObject(
objAccountHandle.Value,
(SECURITY_INFORMATION)uintSecurityInfo,
secDescriptor);
if ((htAccHandle.Count == 0) && (checkTrustHandle == true))
{
#region MS-LSAD_R833
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.NotSupported,
(uint)uintMethodStatus,
"MS-LSAD",
833,
@"LsarSetSecurityObject MUST return STATUS_NOT_SUPPORTED
if the operation is not supported for this object.");
#endregion
//Here we are passing TrustedDomainHandle(checkTrustHandle == true) for LsarSetSecurityObject
#region MS-LSAD_R838
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.NotSupported,
(uint)uintMethodStatus,
"MS-LSAD",
838,
@"The Windows server will not return the security descriptor of objects it stores in Active
Directory. It will return the security descriptor of objects in its local policy only.
The objects stored in Active Directory include Global Secrets and trusted domain objects.
For objects that fall into this category, a Windows server returns the STATUS_NOT_SUPPORTED status
code when it receives a LsarSetSecurityObject request.");
#endregion
}
else if (securityDescriptor == SecurityDescriptor.Null)
{
#region MS-LSAD_R837
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.InvalidParameter,
(uint)uintMethodStatus,
"MS-LSAD",
837,
@"The server MUST return STATUS_InvalidParameter when one of the parameter of LsarSetSecurityObject
supplied is inValid(for instance security descriptor)");
#endregion
}
else if (securityDescriptor == SecurityDescriptor.Invalid)
{
#region MS-LSAD_R836
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.InvalidSecurityDescr,
(uint)uintMethodStatus,
"MS-LSAD",
836,
@"If the security descriptor in LsarSetSecurityObject is invalid, the server
MUST return the STATUS_INVALID_SECURITY_DESCR status code.");
#endregion
}
else if ((htAccHandle.Count == 0) && (checkTrustHandle == false))
{
#region MS-LSAD_R834
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.InvalidHandle,
(uint)uintMethodStatus,
"MS-LSAD",
834,
@"If the ObjectHandle in LsarSetSecurityObject is not a valid context handle to
an object, the server MUST return STATUS_INVALID_HANDLE. ");
#endregion
}
else if ((securityInfo == SecurityInfo.OwnerSecurityInformation) &&
((uintOpenAccAccess & ACCESS_MASK.WRITE_OWNER) != ACCESS_MASK.WRITE_OWNER))
{
#region MS-LSAD_R832
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.AccessDenied,
(uint)uintMethodStatus,
"MS-LSAD",
832,
@"LsarSetSecurityObject MUST return STATUS_ACCESS_DENIED if the caller does not
have the permissions to perform this operation");
#endregion
}
else if ((securityInfo == SecurityInfo.DACLSecurityInformation) &&
(((uint)uintOpenAccAccess & writeDacl) != writeDacl))
{
#region MS-LSAD_R832
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.AccessDenied,
(uint)uintMethodStatus,
"MS-LSAD",
832,
@"LsarSetSecurityObject MUST return STATUS_ACCESS_DENIED if the caller does not
have the permissions to perform this operation");
#endregion
}
else
{
#region MS-LSAD_R51
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
secDescriptor.Length,
(uint)secDescriptor.SecurityDescriptor.Length,
"MS-LSAD",
51,
@"The SecurityDescriptor field of the LSAPR_SR_SECURITY_DESCRIPTOR structure of the LSAD protocol
MUST contain the number of bytes that are specified in the Length field.");
#endregion
#region MS-LSAD_R52
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
secDescriptor.Length,
(uint)secDescriptor.SecurityDescriptor.Length,
"MS-LSAD",
52,
@"If the Length field of the LSAPR_SR_SECURITY_DESCRIPTOR structure of the LSAD protocol
has a value other than 0, the SecurityDescriptor field MUST NOT be NULL.");
#endregion
#region MS-LSAD_R831
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.Success,
(uint)uintMethodStatus,
"MS-LSAD",
831,
@"LsarSetSecurityObject returns MUST return STATUS_SUCCESS
if the request was successfully completed.");
#endregion
}
invalidHandleCheck = false;
return((ErrorStatus)uintMethodStatus);
}
