public void TestAcl3() { var sid = WindowsIdentity.GetCurrent().User; SecurityIdentifier wks = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null); DiscretionaryAcl dacl1 = new DiscretionaryAcl(false, false, 1); dacl1.AddAccess(AccessControlType.Allow, sid, 0x200, InheritanceFlags.None, PropagationFlags.None); CommonSecurityDescriptor csd = new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, sid, sid, null, dacl1); DiscretionaryAcl dacl2 = new DiscretionaryAcl(false, false, 1); dacl2.AddAccess(AccessControlType.Allow, wks, 0x400, InheritanceFlags.None, PropagationFlags.None); CommonSecurityDescriptor csd2 = new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, wks, wks, null, dacl2); List <GenericSecurityDescriptor> list = new List <GenericSecurityDescriptor>(); list.Add(csd); list.Add(csd2); using AuthorizationContext c = new AuthorizationContext(WindowsIdentity.GetCurrent().User); Assert.IsTrue(c.AccessCheck(csd, 0x200)); Assert.IsTrue(c.AccessCheck(list, 0x400)); Assert.IsTrue(c.AccessCheck(list, 0x600)); Assert.IsFalse(c.AccessCheck(csd, 0x800)); Assert.IsFalse(c.AccessCheck(list, 0x800)); }
public void TestScriptDenyLapsJitGrantLapsHistory() { IUser user = directory.GetUser(WindowsIdentity.GetCurrent().User); IComputer computer = directory.GetComputer(C.DEV_PC1); var sd = generator.GenerateSecurityDescriptor(user, computer, "AuthZTestDenyLapsJitGrantLapsHistory.ps1", 30); using AuthorizationContext context = new AuthorizationContext(user.Sid); Assert.IsFalse(context.AccessCheck(sd, (int)AccessMask.Jit)); Assert.IsFalse(context.AccessCheck(sd, (int)AccessMask.LocalAdminPassword)); Assert.IsTrue(context.AccessCheck(sd, (int)AccessMask.LocalAdminPasswordHistory)); }
public void TestScriptGrantLapsJit() { IUser user = directory.GetUser(WindowsIdentity.GetCurrent().User); var sd = generator.GenerateSecurityDescriptor(user, null, "AuthZTestGrantLapsJit.ps1", 30); using AuthorizationContext context = new AuthorizationContext(user.Sid); Assert.IsTrue(context.AccessCheck(sd, (int)AccessMask.Jit)); Assert.IsTrue(context.AccessCheck(sd, (int)AccessMask.Laps)); Assert.IsFalse(context.AccessCheck(sd, (int)AccessMask.LapsHistory)); }
private void CheckCertificatePermissions() { this.HasPermission = false; this.HasNoPermission = false; this.HasPermissionError = false; this.PermissionError = null; if (this.HasNoPrivateKey) { return; } try { var security = this.Model.GetPrivateKeySecurity(); using AuthorizationContext c = new AuthorizationContext(this.serviceSettings.GetServiceAccount()); GenericSecurityDescriptor sd = new RawSecurityDescriptor(security.GetSecurityDescriptorSddlForm(AccessControlSections.All)); this.HasPermission = c.AccessCheck(sd, (int)FileSystemRights.Read); this.HasNoPermission = !this.HasPermission; } catch (Exception ex) { this.logger.LogError(EventIDs.UIGenericError, ex, "Could not read private key security for certificate {thumbprint}", this.Model.Thumbprint); this.HasPermissionError = true; this.PermissionError = $"Error: {ex.Message}"; } }
private bool IsMatch(string trustee, string requestor, string domainName, AccessControlType aceType = AccessControlType.Allow) { var user = directory.GetUser(requestor); var p = directory.GetPrincipal(trustee); DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1); dacl.AddAccess(aceType, p.Sid, (int)AccessMask.Jit, InheritanceFlags.None, PropagationFlags.None); CommonSecurityDescriptor sd = new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), null, null, dacl); string serverName; if (domainName == null) { serverName = discoveryServices.GetDomainController(discoveryServices.GetDomainNameDns(p.Sid)); } else { serverName = discoveryServices.GetDomainController(domainName); } using AuthorizationContext c = new AuthorizationContext(user.Sid, serverName); return(c.AccessCheck(sd, (int)AccessMask.Jit)); }
public bool HasPermission(X509Certificate2 cert, SecurityIdentifier sid) { var security = cert.GetPrivateKeySecurity(); using AuthorizationContext c = new AuthorizationContext(sid); GenericSecurityDescriptor sd = new RawSecurityDescriptor(security.GetSecurityDescriptorSddlForm(AccessControlSections.All)); return(c.AccessCheck(sd, (int)FileSystemRights.Read)); }
public void TestLapsSecurityDescriptor(AccessMask allowedAccess, AccessMask deniedAccess, bool expectedResult) { SecurityIdentifier user = WindowsIdentity.GetCurrent().User; PowerShellAuthorizationResponse response = this.AccessMaskToPowerShellAuthorizationResponse(allowedAccess, deniedAccess); var sd = generator.GenerateSecurityDescriptor(user, response); using AuthorizationContext context = new AuthorizationContext(user); Assert.AreEqual(expectedResult, context.AccessCheck(sd, (int)AccessMask.LocalAdminPassword)); }
public void TestSd(AccessMask allowedAccess, AccessMask deniedAccess) { SecurityIdentifier user = WindowsIdentity.GetCurrent().User; PowerShellAuthorizationResponse response = this.AccessMaskToPowerShellAuthorizationResponse(allowedAccess, deniedAccess); var sd = generator.GenerateSecurityDescriptor(user, response); using AuthorizationContext context = new AuthorizationContext(user); Assert.AreEqual(response.IsJitAllowed && !response.IsJitDenied, context.AccessCheck(sd, (int)AccessMask.Jit)); Assert.AreEqual(response.IsLocalAdminPasswordAllowed && !response.IsLocalAdminPasswordDenied, context.AccessCheck(sd, (int)AccessMask.LocalAdminPassword)); Assert.AreEqual(response.IsLocalAdminPasswordHistoryAllowed && !response.IsLocalAdminPasswordHistoryDenied, context.AccessCheck(sd, (int)AccessMask.LocalAdminPasswordHistory)); }
private AuthorizationInformation BuildAuthorizationInformation(IUser user, IComputer computer) { AuthorizationInformation info = new AuthorizationInformation { MatchedComputerTargets = this.GetMatchingTargetsForComputer(computer), EffectiveAccess = 0, Computer = computer, User = user }; if (info.MatchedComputerTargets.Count == 0) { return(info); } using AuthorizationContext c = authorizationContextProvider.GetAuthorizationContext(user, computer.Sid); DiscretionaryAcl masterDacl = new DiscretionaryAcl(false, false, info.MatchedComputerTargets.Count); int matchedTargetCount = 0; foreach (var target in info.MatchedComputerTargets) { CommonSecurityDescriptor sd; if (target.AuthorizationMode == AuthorizationMode.PowershellScript) { sd = this.powershell.GenerateSecurityDescriptor(user, computer, target.Script, 30); } else { if (string.IsNullOrWhiteSpace(target.SecurityDescriptor)) { this.logger.LogTrace($"Ignoring target {target.Id} with empty security descriptor"); continue; } sd = new CommonSecurityDescriptor(false, false, new RawSecurityDescriptor(target.SecurityDescriptor)); } if (sd == null) { this.logger.LogTrace($"Ignoring target {target.Id} with null security descriptor"); continue; } foreach (var ace in sd.DiscretionaryAcl.OfType <CommonAce>()) { masterDacl.AddAccess( (AccessControlType)ace.AceType, ace.SecurityIdentifier, ace.AccessMask, ace.InheritanceFlags, ace.PropagationFlags); } int i = matchedTargetCount; if (c.AccessCheck(sd, (int)AccessMask.Laps)) { info.SuccessfulLapsTargets.Add(target); matchedTargetCount++; } if (c.AccessCheck(sd, (int)AccessMask.LapsHistory)) { info.SuccessfulLapsHistoryTargets.Add(target); matchedTargetCount++; } if (c.AccessCheck(sd, (int)AccessMask.Jit)) { info.SuccessfulJitTargets.Add(target); matchedTargetCount++; } // If the ACE did not grant any permissions to the user, consider it a failure response if (i == matchedTargetCount) { info.FailedTargets.Add(target); } } if (matchedTargetCount > 0) { info.SecurityDescriptor = new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), null, null, masterDacl); this.logger.LogTrace($"Resultant security descriptor for computer {computer.MsDsPrincipalName}: {info.SecurityDescriptor.GetSddlForm(AccessControlSections.All)}"); info.EffectiveAccess |= c.AccessCheck(info.SecurityDescriptor, (int)AccessMask.Laps) ? AccessMask.Laps : 0; info.EffectiveAccess |= c.AccessCheck(info.SecurityDescriptor, (int)AccessMask.Jit) ? AccessMask.Jit : 0; info.EffectiveAccess |= c.AccessCheck(info.SecurityDescriptor, (int)AccessMask.LapsHistory) ? AccessMask.LapsHistory : 0; } this.logger.LogTrace($"User {user.MsDsPrincipalName} has effective access of {info.EffectiveAccess} on computer {computer.MsDsPrincipalName}"); return(info); }