public void SamrQuerySecurityObject_Group_OWNER_SECURITY_INFORMATION_NonDC() { ConnectAndOpenDomain_NonDC(_samrProtocolAdapter.domainMemberFqdn, _samrProtocolAdapter.domainMemberFqdn, out _serverHandle, out _domainHandle, Utilities.MAXIMUM_ALLOWED); string groupName = testGroupName; uint relativeId = 0; try { CreateGroup_NonDC(groupName, _serverHandle, _domainHandle, out _groupHandle, out relativeId); HRESULT result = _samrProtocolAdapter.SamrOpenGroup(_domainHandle, (uint)Common_ACCESS_MASK.READ_CONTROL, relativeId, out _groupHandle); Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrOpenGroup succeeded."); Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject with OWNER_SECURITY_INFORMATION"); _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor; result = _samrProtocolAdapter.SamrQuerySecurityObject(_groupHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, out securityDescriptor); Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrQuerySecurityObject returns:{0}.", result); Site.Assert.IsNotNull(securityDescriptor, "The returned securityDescriptor should not be null."); _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor); Site.Assert.IsNotNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is set, the client requests that the Owner member be returned."); Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned."); Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned."); Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned."); Site.Assert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)sd.OwnerSid), "3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544)."); } finally { HRESULT result = _samrProtocolAdapter.SamrOpenGroup(_domainHandle, (uint)Group_ACCESS_MASK.GROUP_ALL_ACCESS, relativeId, out _groupHandle); Site.Log.Add(LogEntryKind.TestStep, "SamrOpenGroup: delete the created group."); result = _samrProtocolAdapter.SamrDeleteGroup(ref _groupHandle); Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrDeleteGroup succeeded."); } }
public void SamrQuerySecurityObject_User_DACL_SECURITY_INFORMATION() { ConnectAndOpenUser(_samrProtocolAdapter.PDCNetbiosName, _samrProtocolAdapter.PrimaryDomainDnsName, _samrProtocolAdapter.DomainAdministratorName, out _userHandle, (uint)Common_ACCESS_MASK.READ_CONTROL); Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject with DACL_SECURITY_INFORMATION."); _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor; HRESULT result = _samrProtocolAdapter.SamrQuerySecurityObject(_userHandle, SecurityInformation.DACL_SECURITY_INFORMATION, out securityDescriptor); Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrQuerySecurityObject returns:{0}.", result); Site.Assert.IsNotNull(securityDescriptor, "The returned securityDescriptor should not be null."); _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor); Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned."); Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned."); Site.Assert.IsNotNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is set, the client requests that the DACL be returned."); Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned."); bool isAdminSidMatched = false; bool isWorldSidMatched = false; bool isSelfMatched = false; foreach (var ace in sd.Dacl.Value.Aces) { if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(AdministratorSid, StringComparison.InvariantCultureIgnoreCase)) { if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)User_ACCESS_MASK.USER_ALL_ACCESS) { isAdminSidMatched = true; } } if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(WorldSid, StringComparison.InvariantCultureIgnoreCase)) { if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(User_ACCESS_MASK.USER_EXECUTE | User_ACCESS_MASK.USER_READ)) { isWorldSidMatched = true; } } if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(_samrProtocolAdapter.DomainAdministratorSid.Value, StringComparison.InvariantCultureIgnoreCase)) { if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(User_ACCESS_MASK.USER_WRITE)) { isSelfMatched = true; } } } Site.Assert.IsTrue(isAdminSidMatched, "3.1.5.12.2.1 if ObjectHandle.Object refers to a user object that is a member of Domain Admins or Administrators, the DACL MUST contain AdministratorSid:USER_ALL_ACCESS."); Site.Assert.IsTrue(isWorldSidMatched, "3.1.5.12.2.1 if ObjectHandle.Object refers to a user object that is a member of Domain Admins or Administrators, the DACL MUST contain WorldSid:USER_EXECUTE|USER_READ."); Site.Assert.IsTrue(isSelfMatched, "3.1.5.12.2.1 if ObjectHandle.Object refers to a user object that is a member of Domain Admins or Administrators, the DACL MUST contain Self:USER_WRITE."); }
public void SamrQuerySecurityObject_Server_Group_NonDC() { HRESULT hResult; IChecker PtfAssert = TestClassBase.BaseTestSite.Assert; Site.Log.Add(LogEntryKind.TestStep, string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.", _samrProtocolAdapter.domainMemberFqdn, _samrProtocolAdapter.domainMemberNetBIOSName, _samrProtocolAdapter.DMAdminName, _samrProtocolAdapter.DMAdminPassword)); _samrProtocolAdapter.SamrBind( _samrProtocolAdapter.domainMemberFqdn, _samrProtocolAdapter.domainMemberNetBIOSName, _samrProtocolAdapter.DMAdminName, _samrProtocolAdapter.DMAdminPassword, false, false); Site.Log.Add(LogEntryKind.TestStep, string.Format("SamrConnect5, Server:{0}, Desired Access: READ_CONTROL.", _samrProtocolAdapter.domainMemberFqdn)); hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5( _samrProtocolAdapter.domainMemberFqdn, (uint)COMMON_ACCESS_MASK.READ_CONTROL, out _serverHandle); PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS."); Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject, SecurityInformation: GROUP_SECURITY_INFORMATION."); _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor; hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrQuerySecurityObject( _serverHandle, SamrQuerySecurityObject_SecurityInformation_Values.GROUP_SECURITY_INFORMATION, out securityDescriptor); PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS."); PtfAssert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null."); _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor); PtfAssert.IsNotNull(sd.GroupSid, "[MS-SAMR] 3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is set, the client requests that the Group member be returned."); PtfAssert.IsNull(sd.OwnerSid, "[MS-SAMR] 3.1.5.12.2 The field(OwnerSid) of the security descriptor is not returned and is set to zero."); PtfAssert.IsNull(sd.Sacl, "[MS-SAMR] 3.1.5.12.2 The field(SACL) of the security descriptor is not returned and is set to zero."); PtfAssert.IsNull(sd.Dacl, "[MS-SAMR] 3.1.5.12.2 The field(DACL) of the security descriptor is not returned and is set to zero."); PtfAssert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)sd.GroupSid), "[MS-SAMR] 3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544)."); }
public void SamrQuerySecurityObject_Server_SACL() { HRESULT hResult; IChecker PtfAssert = TestClassBase.BaseTestSite.Assert; Site.Log.Add(LogEntryKind.TestStep, string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.", _samrProtocolAdapter.pdcNetBIOSName, _samrProtocolAdapter.primaryDomainFqdn, _samrProtocolAdapter.DomainAdministratorName, _samrProtocolAdapter.DomainUserPassword)); _samrProtocolAdapter.SamrBind( _samrProtocolAdapter.pdcNetBIOSName, _samrProtocolAdapter.primaryDomainFqdn, _samrProtocolAdapter.DomainAdministratorName, _samrProtocolAdapter.DomainUserPassword, false, true); Site.Log.Add(LogEntryKind.TestStep, string.Format("SamrConnect5, Server:{0}, Desired Access: ACCESS_SYSTEM_SECURITY.", _samrProtocolAdapter.PDCNetbiosName)); hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5( _samrProtocolAdapter.PDCNetbiosName, (uint)COMMON_ACCESS_MASK.ACCESS_SYSTEM_SECURITY, out _serverHandle); PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS."); Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject, SecurityInformation: SACL_SECURITY_INFORMATION."); _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor; hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrQuerySecurityObject( _serverHandle, SamrQuerySecurityObject_SecurityInformation_Values.SACL_SECURITY_INFORMATION, out securityDescriptor); PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS."); PtfAssert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null."); _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor); PtfAssert.IsNotNull(sd.Sacl, "[MS-SAMR] 3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is set, the client requests that the Sacl be returned."); PtfAssert.IsNull(sd.OwnerSid, "[MS-SAMR] 3.1.5.12.2 The field(OwnerSid) of the security descriptor is not returned and is set to zero."); PtfAssert.IsNull(sd.GroupSid, "[MS-SAMR] 3.1.5.12.2 The field(GroupSid) of the security descriptor is not returned and is set to zero."); PtfAssert.IsNull(sd.Dacl, "[MS-SAMR] 3.1.5.12.2 The field(DACL) of the security descriptor is not returned and is set to zero."); }
public void SamrQuerySecurityObject_Alias_SACL_SECURITY_INFORMATION_NonDC() { ConnectAndOpenDomain_NonDC(_samrProtocolAdapter.domainMemberFqdn, _samrProtocolAdapter.domainMemberFqdn, out _serverHandle, out _domainHandle, Utilities.MAXIMUM_ALLOWED); string aliasName = testAliasName; uint relativeId = 0; try { Site.Log.Add(LogEntryKind.TestStep, "SamrCreateAliasInDomain: create an alias with Name:{0}, and DesiredAccess:{1}", testAliasName, ALIAS_ACCESS_MASK.ALIAS_ALL_ACCESS); HRESULT result = _samrProtocolAdapter.SamrCreateAliasInDomain( _domainHandle, aliasName, (uint)ALIAS_ACCESS_MASK.ALIAS_ALL_ACCESS, out _aliasHandle, out relativeId); Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrCreateAliasInDomain returns:{0}.", result); Site.Assert.IsNotNull(_aliasHandle, "The returned alias handle is: {0}.", _aliasHandle); result = _samrProtocolAdapter.SamrOpenAlias(_domainHandle, (uint)Common_ACCESS_MASK.ACCESS_SYSTEM_SECURITY, relativeId, out _aliasHandle); Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrOpenAlias succeeded."); Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject with SACL_SECURITY_INFORMATION."); _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor; result = _samrProtocolAdapter.SamrQuerySecurityObject(_aliasHandle, SecurityInformation.SACL_SECURITY_INFORMATION, out securityDescriptor); Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrQuerySecurityObject returns:{0}.", result); Site.Assert.IsNotNull(securityDescriptor, "The returned securityDescriptor should not be null."); _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor); Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned."); Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned."); Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned."); Site.Assert.IsNotNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is set, the client requests that the SACL be returned."); } finally { HRESULT result = _samrProtocolAdapter.SamrOpenAlias(_domainHandle, (uint)ALIAS_ACCESS_MASK.ALIAS_ALL_ACCESS, relativeId, out _aliasHandle); Site.Log.Add(LogEntryKind.TestStep, "SamrOpenAlias: delete the created alias."); result = _samrProtocolAdapter.SamrDeleteAlias(ref _aliasHandle); Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrDeleteAlias succeeded."); } }
public void SamrSetSecurityObject_Owner_SECURITY_INFORMATION_Domain() { HRESULT hResult; ConnectAndOpenDomain(_samrProtocolAdapter.PDCNetbiosName, _samrProtocolAdapter.PrimaryDomainDnsName, out _serverHandle, out _domainHandle, (uint)(Common_ACCESS_MASK.WRITE_OWNER | Common_ACCESS_MASK.READ_CONTROL)); CommonSecurityDescriptor commonsd = new CommonSecurityDescriptor(false, true, "O:BGG:BA"); byte[] buffer = new byte[commonsd.BinaryLength]; commonsd.GetBinaryForm(buffer, 0); _SAMPR_SR_SECURITY_DESCRIPTOR securityDescriptor = new _SAMPR_SR_SECURITY_DESCRIPTOR() { SecurityDescriptor = buffer, Length = (uint)buffer.Length }; Site.Log.Add(LogEntryKind.TestStep, "SamrSetSecurityObject, SecurityInformation: OWNER_SECURITY_INFORMATION as Built-in Guests."); hResult = _samrProtocolAdapter.SamrSetSecurityObject(_domainHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, securityDescriptor); Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "If the database object referenced by ObjectHandle.Object is not a user object and the DACL_SECURITY_INFORMATION is not set in SecurityInformation, the server MUST silently ignore the request by aborting processing and returning 0."); Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject to check again, SecurityInformation: OWNER_SECURITY_INFORMATION."); _SAMPR_SR_SECURITY_DESCRIPTOR?sd; hResult = _samrProtocolAdapter.SamrQuerySecurityObject(_domainHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, out sd); Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS."); Site.Assert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null."); // Initializing SecurityDescriptor object using the obtained bytes of security descriptor. CommonSecurityDescriptor ObtainedSecurityDescriptor = new CommonSecurityDescriptor(false, true, sd.Value.SecurityDescriptor, 0); Site.Assert.AreEqual("O:BA", ObtainedSecurityDescriptor.GetSddlForm(AccessControlSections.Owner), "Owner should still be the Administrator."); _SECURITY_DESCRIPTOR secdes = DtypUtility.DecodeSecurityDescriptor(sd.Value.SecurityDescriptor); Site.Assert.IsNotNull(secdes.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is set, the client requests that the Owner member be returned."); Site.Assert.IsNull(secdes.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned."); Site.Assert.IsNull(secdes.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned."); Site.Assert.IsNull(secdes.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned."); Site.Assert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)secdes.OwnerSid), "3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544)."); }
public void SamrQuerySecurityObject_User_SACL_SECURITY_INFORMATION_NonDC() { ConnectAndOpenUser_NonDC(_samrProtocolAdapter.domainMemberFqdn, _samrProtocolAdapter.domainMemberFqdn, _samrProtocolAdapter.DMAdminName, out _userHandle, (uint)Common_ACCESS_MASK.ACCESS_SYSTEM_SECURITY); Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject with SACL_SECURITY_INFORMATION."); _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor; HRESULT result = _samrProtocolAdapter.SamrQuerySecurityObject(_userHandle, SecurityInformation.SACL_SECURITY_INFORMATION, out securityDescriptor); Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrQuerySecurityObject returns:{0}.", result); Site.Assert.IsNotNull(securityDescriptor, "The returned securityDescriptor should not be null."); _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor); Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned."); Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned."); Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned."); Site.Assert.IsNotNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is set, the client requests that the SACL be returned."); }
private void SetSecurityDescriptorOnDynamicallyConfigurableShare(object ace) { _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(originalShareInfo.Value.shi502_security_descriptor); _ACL dacl = sd.Dacl.Value; DtypUtility.AddAceToAcl(ref dacl, true, ace); sd.Dacl = dacl; DtypUtility.UpdateSecurityDescriptor(ref sd); SHARE_INFO_502_I newShareInfo = originalShareInfo.Value; newShareInfo.shi502_security_descriptor = DtypUtility.EncodeSecurityDescriptor(sd); newShareInfo.shi502_reserved = (uint)newShareInfo.shi502_security_descriptor.Length; BaseTestSite.Log.Add(LogEntryKind.TestStep, "Set Security Descriptor on the share ({0}): {1}.", Smb2Utility.GetUncPath(TestConfig.SutComputerName, dynamicallyConfigurableShareName), DtypUtility.ToSddlString(sd)); SetShareInfo(dynamicallyConfigurableShareName, newShareInfo); }
public void SamrQuerySecurityObject_Group_OWNER_SECURITY_INFORMATION() { ConnectAndOpenGroup(_samrProtocolAdapter.pdcFqdn, _samrProtocolAdapter.PrimaryDomainDnsName, _samrProtocolAdapter.DomainAdminGroup, out _groupHandle, (uint)Common_ACCESS_MASK.READ_CONTROL); Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject with OWNER_SECURITY_INFORMATION"); _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor; HRESULT result = _samrProtocolAdapter.SamrQuerySecurityObject(_groupHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, out securityDescriptor); Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrQuerySecurityObject returns:{0}.", result); Site.Assert.IsNotNull(securityDescriptor, "The returned securityDescriptor should not be null."); _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor); Site.Assert.IsNotNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is set, the client requests that the Owner member be returned."); Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned."); Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned."); Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned."); Site.Assert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)sd.OwnerSid), "3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544)."); }
public void SamrQuerySecurityObjectForAlias_OWNER_SECURITY_INFORMATION() { aliasTestPrerequisite(); createAlias(); Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject with OWNER_SECURITY_INFORMATION"); _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor; HRESULT result = _samrProtocolAdapter.SamrQuerySecurityObject(_aliasHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, out securityDescriptor); Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrQuerySecurityObject returns:{0}.", result); Site.Assert.IsNotNull(securityDescriptor, "The returned securityDescriptor should not be null."); _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor); Site.Assert.IsNotNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is set, the client requests that the Owner member be returned."); Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned."); Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned."); Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned."); Site.Assert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)sd.OwnerSid), "3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544)."); }
public void SamrQuerySecurityObject_INVALID_SECURITY_INFORMATION_Domain_NonDC() { HRESULT hResult; ConnectAndOpenDomain_NonDC(_samrProtocolAdapter.domainMemberFqdn, _samrProtocolAdapter.domainMemberFqdn, out _serverHandle, out _domainHandle, (uint)Common_ACCESS_MASK.READ_CONTROL); Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject, SecurityInformation: INVALID_SECURITY_INFORMATION."); _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor; hResult = _samrProtocolAdapter.SamrQuerySecurityObject(_domainHandle, SecurityInformation.INVALID_SECURITY_INFORMATION, out securityDescriptor); Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "If there is not any valid bit in the SECURITY_INFORMATION, all other bits MUST be zero when sent and ignored on receipt."); _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor); Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned."); Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned."); Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned."); Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned."); }
public void SamrQuerySecurityObject_INVALID_SECURITY_INFORMATION_Domain() { HRESULT hResult; ConnectAndOpenDomain(_samrProtocolAdapter.PDCNetbiosName, _samrProtocolAdapter.PrimaryDomainDnsName, out _serverHandle, out _domainHandle); Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject, SecurityInformation: INVALID_SECURITY_INFORMATION."); _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor; hResult = _samrProtocolAdapter.SamrQuerySecurityObject(_domainHandle, SecurityInformation.INVALID_SECURITY_INFORMATION, out securityDescriptor); // TDI? Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "The following bits are valid; all other bits MUST be zero when sent and ignored on receipt."); _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor); Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned."); Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned."); Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned."); Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned."); }
public void SamrQuerySecurityObject_SACL_SECURITY_INFORMATION_Domain() { HRESULT hResult; ConnectAndOpenDomain(_samrProtocolAdapter.PDCNetbiosName, _samrProtocolAdapter.PrimaryDomainDnsName, out _serverHandle, out _domainHandle, (uint)Common_ACCESS_MASK.ACCESS_SYSTEM_SECURITY); Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject, SecurityInformation: SACL_SECURITY_INFORMATION."); _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor; hResult = _samrProtocolAdapter.SamrQuerySecurityObject(_domainHandle, SecurityInformation.SACL_SECURITY_INFORMATION, out securityDescriptor); Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS."); Site.Assert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null."); _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor); Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned."); Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned."); Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned."); Site.Assert.IsNotNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is set, the client requests that the SACL be returned."); }
public void SamrQuerySecurityObject_Group_DACL_SECURITY_INFORMATION_Domain() { HRESULT hResult; ConnectAndOpenDomain(_samrProtocolAdapter.PDCNetbiosName, _samrProtocolAdapter.PrimaryDomainDnsName, out _serverHandle, out _domainHandle, (uint)Common_ACCESS_MASK.READ_CONTROL); Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject, SecurityInformation: GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION."); _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor; hResult = _samrProtocolAdapter.SamrQuerySecurityObject(_domainHandle, SecurityInformation.GROUP_SECURITY_INFORMATION | SecurityInformation.DACL_SECURITY_INFORMATION, out securityDescriptor); Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS."); Site.Assert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null."); _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor); Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned."); Site.Assert.IsNotNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is set, the client requests that the Group member be returned."); Site.Assert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)sd.GroupSid), "3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544)."); Site.Assert.IsNotNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is set, the client requests that the DACL be returned."); Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned."); bool isAdminSidMatched = false; bool isWorldSidMatched = false; bool isAccountOperatorSidMatched = false; foreach (var ace in sd.Dacl.Value.Aces) { if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(AdministratorSid, StringComparison.InvariantCultureIgnoreCase)) { if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(DOMAIN_ACCESS_MASK.DOMAIN_ALL_ACCESS)) { isAdminSidMatched = true; } else { Site.Log.Add(LogEntryKind.Debug, "The AdministratorSid's Access Mask is {0}.", ((_ACCESS_ALLOWED_ACE)ace).Mask); } } if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(WorldSid, StringComparison.InvariantCultureIgnoreCase)) { if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(DOMAIN_ACCESS_MASK.DOMAIN_ALL_EXECUTE | DOMAIN_ACCESS_MASK.DOMAIN_READ)) { isWorldSidMatched = true; } else { Site.Log.Add(LogEntryKind.Debug, "The WorldSid's Access Mask is {0}.", ((_ACCESS_ALLOWED_ACE)ace).Mask); } } if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(AccountOperatorsSid, StringComparison.InvariantCultureIgnoreCase)) { if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(DOMAIN_ACCESS_MASK.DOMAIN_ALL_EXECUTE | DOMAIN_ACCESS_MASK.DOMAIN_READ | DOMAIN_ACCESS_MASK.DOMAIN_CREATE_USER | DOMAIN_ACCESS_MASK.DOMAIN_CREATE_GROUP | DOMAIN_ACCESS_MASK.DOMAIN_CREATE_ALIAS)) { isAccountOperatorSidMatched = true; } else { Site.Log.Add(LogEntryKind.Debug, "The AccountOperatorSid's Access Mask is {0}.", ((_ACCESS_ALLOWED_ACE)ace).Mask); } } } Site.Assert.IsTrue(isWorldSidMatched, "3.1.5.12.2.1 If ObjectHandle.Object refers to a domain object, the DACL MUST contain WorldSid:DOMAIN_EXECUTE | DOMAIN_READ."); Site.Assert.IsTrue(isAdminSidMatched, "3.1.5.12.2.1 If ObjectHandle.Object refers to a domain object, the DACL MUST contain AdministratorSid:DOMAIN_ALL_ACCESS."); Site.Assert.IsTrue(isAccountOperatorSidMatched, "3.1.5.12.2.1 If ObjectHandle.Object refers to a domain object, the DACL MUST contain AccountOperatorSid:DOMAIN_EXECUTE | DOMAIN_READ | DOMAIN_CREATE_USER | DOMAIN_CREATE_GROUP | DOMAIN_CREATE_ALIAS."); }
public void SamrSetSecurityObject_Owner_SECURITY_INFORMATION_Domain_NonDC() { ConnectAndOpenDomain_NonDC(_samrProtocolAdapter.domainMemberFqdn, _samrProtocolAdapter.domainMemberFqdn, out _serverHandle, out _domainHandle, Utilities.WRITE_OWNER | Utilities.DOMAIN_READ); try { Site.Log.Add(LogEntryKind.TestStep, "Set the owner of DM domain to be Built-in Guest."); CommonSecurityDescriptor commonsd = new CommonSecurityDescriptor(false, true, "O:BGG:BA"); byte[] buffer = new byte[commonsd.BinaryLength]; commonsd.GetBinaryForm(buffer, 0); _SAMPR_SR_SECURITY_DESCRIPTOR securityDescriptor = new _SAMPR_SR_SECURITY_DESCRIPTOR() { SecurityDescriptor = buffer, Length = (uint)buffer.Length }; _SAMPR_SR_SECURITY_DESCRIPTOR?sd; Site.Log.Add(LogEntryKind.TestStep, "SamrSetSecurityObject, SecurityInformation: OWNER_SECURITY_INFORMATION. "); HRESULT hResult = _samrProtocolAdapter.SamrSetSecurityObject(_domainHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, securityDescriptor); Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrSetSecurityObject must return STATUS_SUCCESS."); Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject to check again, SecurityInformation: OWNER_SECURITY_INFORMATION."); hResult = _samrProtocolAdapter.SamrQuerySecurityObject(_domainHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, out sd); Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS."); Site.Assert.IsNotNull(sd, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null."); CommonSecurityDescriptor ObtainedSecurityDescriptor = new CommonSecurityDescriptor(false, true, sd.Value.SecurityDescriptor, 0); Site.Assert.AreEqual("O:BG", ObtainedSecurityDescriptor.GetSddlForm(AccessControlSections.Owner), "Owner should be Built-in Guest."); _SECURITY_DESCRIPTOR secdes = DtypUtility.DecodeSecurityDescriptor(sd.Value.SecurityDescriptor); Site.Assert.IsNotNull(secdes.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is set, the client requests that the Owner member be returned."); Site.Assert.IsNull(secdes.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned."); Site.Assert.IsNull(secdes.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned."); Site.Assert.IsNull(secdes.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned."); } finally { Site.Log.Add(LogEntryKind.TestStep, "Change the owner of DM domain back to Built-in Administrator."); CommonSecurityDescriptor commonsd = new CommonSecurityDescriptor(false, true, "O:BAG:BA"); byte[] buffer = new byte[commonsd.BinaryLength]; commonsd.GetBinaryForm(buffer, 0); _SAMPR_SR_SECURITY_DESCRIPTOR securityDescriptor = new _SAMPR_SR_SECURITY_DESCRIPTOR() { SecurityDescriptor = buffer, Length = (uint)buffer.Length }; Site.Log.Add(LogEntryKind.TestStep, "SamrSetSecurityObject, SecurityInformation: OWNER_SECURITY_INFORMATION. "); HRESULT hResult = _samrProtocolAdapter.SamrSetSecurityObject(_domainHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, securityDescriptor); Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrSetSecurityObject must return STATUS_SUCCESS."); Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject to check again, SecurityInformation: OWNER_SECURITY_INFORMATION."); _SAMPR_SR_SECURITY_DESCRIPTOR?sd; hResult = _samrProtocolAdapter.SamrQuerySecurityObject(_domainHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, out sd); CommonSecurityDescriptor ObtainedSecurityDescriptor = new CommonSecurityDescriptor(false, true, sd.Value.SecurityDescriptor, 0); Site.Assert.AreEqual("O:BA", ObtainedSecurityDescriptor.GetSddlForm(AccessControlSections.Owner), "Owner should be changed back to the Administrator."); } }
public void SamrQuerySecurityObject_Server_DACL_NonDC() { HRESULT hResult; IChecker PtfAssert = TestClassBase.BaseTestSite.Assert; Site.Log.Add(LogEntryKind.TestStep, string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.", _samrProtocolAdapter.domainMemberFqdn, _samrProtocolAdapter.domainMemberNetBIOSName, _samrProtocolAdapter.DMAdminName, _samrProtocolAdapter.DMAdminPassword)); _samrProtocolAdapter.SamrBind( _samrProtocolAdapter.domainMemberFqdn, _samrProtocolAdapter.domainMemberNetBIOSName, _samrProtocolAdapter.DMAdminName, _samrProtocolAdapter.DMAdminPassword, false, false); Site.Log.Add(LogEntryKind.TestStep, string.Format("SamrConnect5, Server:{0}, Desired Access: READ_CONTROL.", _samrProtocolAdapter.domainMemberFqdn)); hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5( _samrProtocolAdapter.domainMemberFqdn, (uint)COMMON_ACCESS_MASK.READ_CONTROL, out _serverHandle); PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS."); Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject, SecurityInformation: DACL_SECURITY_INFORMATION."); _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor; hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrQuerySecurityObject( _serverHandle, SamrQuerySecurityObject_SecurityInformation_Values.DACL_SECURITY_INFORMATION, out securityDescriptor); PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS."); PtfAssert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null."); _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor); PtfAssert.IsNotNull(sd.Dacl, "[MS-SAMR] 3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is set, the client requests that the DACL be returned."); PtfAssert.IsNull(sd.OwnerSid, "[MS-SAMR] 3.1.5.12.2 The field(OwnerSid) of the security descriptor is not returned and is set to zero."); PtfAssert.IsNull(sd.GroupSid, "[MS-SAMR] 3.1.5.12.2 The field(GroupSid) of the security descriptor is not returned and is set to zero."); PtfAssert.IsNull(sd.Sacl, "[MS-SAMR] 3.1.5.12.2 The field(SACL) of the security descriptor is not returned and is set to zero."); Site.Log.Add(LogEntryKind.TestStep, "Verifies that the DACL returned from the server contains the following ACEs: WorldSid(SAM_SERVER_EXECUTE | SAM_SERVER_READ), AdministratorSid(SAM_SERVER_ALL_ACCESS"); bool worldSidFound = false; uint worldSidMask = 0; bool adminSidFound = false; uint adminSidMask = 0; foreach (var o in sd.Dacl.Value.Aces) { if (!(o is Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE)) { continue; } Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE ace = (Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE)o; switch (DtypUtility.ToSddlString(ace.Sid)) { case AdministratorSid: adminSidFound = true; adminSidMask = ace.Mask; break; case WorldSid: worldSidFound = true; worldSidMask = ace.Mask; break; } } PtfAssert.IsTrue(worldSidFound, "[MS-SAMR] 3.1.5.12.2 If ObjectHandle.Object refers to the server object, the DACL MUST contain the following ACE. WorldSid"); PtfAssert.AreEqual(SERVER_ACCESS_MASK.SAM_SERVER_EXECUTE | SERVER_ACCESS_MASK.SAM_SERVER_READ, (SERVER_ACCESS_MASK)worldSidMask, "The access mask of WorldSid is SAM_SERVER_EXECUTE|SAM_SERVER_READ."); PtfAssert.IsTrue(adminSidFound, "[MS-SAMR] 3.1.5.12.2 If ObjectHandle.Object refers to the server object, the DACL MUST contain the following ACE. AdministratorSid"); PtfAssert.AreEqual(SERVER_ACCESS_MASK.SAM_SERVER_ALL_ACCESS, (SERVER_ACCESS_MASK)adminSidMask, "The access mask of AdministratorSid is SAM_SERVER_ALL_ACCESS."); }
public void SamrQuerySecurityObject_Group_DACL_SECURITY_INFORMATION_NonDomainAdminGroup() { ConnectAndOpenGroup(_samrProtocolAdapter.pdcFqdn, _samrProtocolAdapter.PrimaryDomainDnsName, "Domain Users", out _groupHandle, (uint)Common_ACCESS_MASK.READ_CONTROL); Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject with DACL_SECURITY_INFORMATION."); _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor; HRESULT result = _samrProtocolAdapter.SamrQuerySecurityObject(_groupHandle, SecurityInformation.DACL_SECURITY_INFORMATION, out securityDescriptor); Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrQuerySecurityObject returns:{0}.", result); Site.Assert.IsNotNull(securityDescriptor, "The returned securityDescriptor should not be null."); _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor); Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned."); Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned."); Site.Assert.IsNotNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is set, the client requests that the DACL be returned."); Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned."); bool isAdminSidMatched = false; bool isWorldSidMatched = false; bool isAccountOperatorsSidMatched = false; foreach (var ace in sd.Dacl.Value.Aces) { if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(AdministratorSid, StringComparison.InvariantCultureIgnoreCase)) { if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)Group_ACCESS_MASK.GROUP_ALL_ACCESS) { isAdminSidMatched = true; } else { Site.Log.Add(LogEntryKind.Debug, "The AdministratorSid's Access Mask is {0}.", ((_ACCESS_ALLOWED_ACE)ace).Mask); } } if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(WorldSid, StringComparison.InvariantCultureIgnoreCase)) { if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(Group_ACCESS_MASK.GROUP_EXECUTE | Group_ACCESS_MASK.GROUP_READ)) { isWorldSidMatched = true; } else { Site.Log.Add(LogEntryKind.Debug, "The WorldSid's Access Mask is {0}.", ((_ACCESS_ALLOWED_ACE)ace).Mask); } } if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(AccountOperatorsSid, StringComparison.InvariantCultureIgnoreCase)) { if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(Group_ACCESS_MASK.GROUP_ALL_ACCESS)) { isAccountOperatorsSidMatched = true; } else { Site.Log.Add(LogEntryKind.Debug, "The AccountOperatorsSid's Access Mask is {0}.", ((_ACCESS_ALLOWED_ACE)ace).Mask); } } } Site.Assert.IsTrue(isAdminSidMatched, "3.1.5.12.2.1 if ObjectHandle.Object refers to any group object that does not satisfy the previous condition, the DACL MUST contain AdministratorSid:GROUP_ALL_ACCESS."); Site.Assert.IsTrue(isWorldSidMatched, "3.1.5.12.2.1 if ObjectHandle.Object refers to any group object that does not satisfy the previous condition, the DACL MUST contain WorldSid:GROUP_EXECUTE|GROUP_READ."); Site.Assert.IsTrue(isAccountOperatorsSidMatched, "3.1.5.12.2.1 if ObjectHandle.Object refers to any group object that does not satisfy the previous condition, the DACL MUST contain AccountOperatorSid:GROUP_ALL_ACCESS."); }