private void SetSecurityDescriptorOnDynamicallyConfigurableShare(object ace)
        {
            _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(originalShareInfo.Value.shi502_security_descriptor);

            _ACL dacl = sd.Dacl.Value;

            DtypUtility.AddAceToAcl(ref dacl, true, ace);
            sd.Dacl = dacl;

            DtypUtility.UpdateSecurityDescriptor(ref sd);

            SHARE_INFO_502_I newShareInfo = originalShareInfo.Value;

            newShareInfo.shi502_security_descriptor = DtypUtility.EncodeSecurityDescriptor(sd);
            newShareInfo.shi502_reserved            = (uint)newShareInfo.shi502_security_descriptor.Length;
            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Set Security Descriptor on the share ({0}): {1}.",
                                 Smb2Utility.GetUncPath(TestConfig.SutComputerName, dynamicallyConfigurableShareName), DtypUtility.ToSddlString(sd));
            SetShareInfo(dynamicallyConfigurableShareName, newShareInfo);
        }
        public void SamrQuerySecurityObject_User_SACL_SECURITY_INFORMATION()
        {
            ConnectAndOpenUser(_samrProtocolAdapter.PDCNetbiosName, _samrProtocolAdapter.PrimaryDomainDnsName,
                               _samrProtocolAdapter.DomainAdministratorName, out _userHandle, (uint)Common_ACCESS_MASK.ACCESS_SYSTEM_SECURITY);

            Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject with SACL_SECURITY_INFORMATION.");
            _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;

            HRESULT result = _samrProtocolAdapter.SamrQuerySecurityObject(_userHandle, SecurityInformation.SACL_SECURITY_INFORMATION, out securityDescriptor);

            Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrQuerySecurityObject returns:{0}.", result);
            Site.Assert.IsNotNull(securityDescriptor, "The returned securityDescriptor should not be null.");
            _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);

            Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned.");
            Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned.");
            Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned.");
            Site.Assert.IsNotNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is set, the client requests that the SACL be returned.");
        }
        public void SharePermission_AccessDeny_SidNoInclude()
        {
            _SID   sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name);
            string shareName;

            if (dynamicallyConfigurableShareExist)
            {
                shareName = dynamicallyConfigurableShareName;
            }
            else
            {
                shareName = "AzShare05";
            }

            BaseTestSite.Assert.IsFalse(
                AccessShare(shareName),
                "User SID ({0}) is not in share Security Descriptor. User should not be able to access the share.",
                DtypUtility.ToSddlString(sid));
        }
        public void SamrLookupDomainInSamServer_PrimaryDomain()
        {
            HRESULT  hResult;
            IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;

            Site.Log.Add(LogEntryKind.TestStep,
                         string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
                                       _samrProtocolAdapter.pdcNetBIOSName,
                                       _samrProtocolAdapter.primaryDomainFqdn,
                                       _samrProtocolAdapter.DomainAdministratorName,
                                       _samrProtocolAdapter.DomainUserPassword));
            _samrProtocolAdapter.SamrBind(
                _samrProtocolAdapter.pdcNetBIOSName,
                _samrProtocolAdapter.primaryDomainFqdn,
                _samrProtocolAdapter.DomainAdministratorName,
                _samrProtocolAdapter.DomainUserPassword,
                false,
                true);
            Site.Log.Add(LogEntryKind.TestStep,
                         string.Format("SamrConnect5, Server:{0}, Desired Access: SAM_SERVER_LOOKUP_DOMAIN.", _samrProtocolAdapter.PDCNetbiosName));
            hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5(
                _samrProtocolAdapter.PDCNetbiosName,
                (uint)SERVER_ACCESS_MASK.SAM_SERVER_LOOKUP_DOMAIN,
                out _serverHandle);
            PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS.");

            Site.Log.Add(LogEntryKind.TestStep,
                         string.Format("SamrLookupDomainInSamServer, Name: {0}.", _samrProtocolAdapter.primaryDomainNetBIOSName));
            _RPC_SID?domainID;

            hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrLookupDomainInSamServer(
                _serverHandle,
                DtypUtility.ToRpcUnicodeString(_samrProtocolAdapter.primaryDomainNetBIOSName),
                out domainID);
            PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrLookupDomainInSamServer must return STATUS_SUCCESS.");
            PtfAssert.IsNotNull(domainID, "DomainId is not null.");
            string domainSid = DtypUtility.ToSddlString(domainID.Value);

            PtfAssert.AreEqual(
                _samrProtocolAdapter.PrimaryDomainSID,
                domainSid,
                "The objectSid of the primary domain must be returnd.");
        }
Пример #5
0
        public void SharePermission_AccessDeny_UserSid()
        {
            _SID   sid = sutCommonControlAdapterAccessor.GetUserSid(azUser01Name);
            string shareName;

            if (dynamicallyConfigurableShareExist)
            {
                object ace = DtypUtility.CreateAccessDeniedAce(sid, DtypUtility.ACCESS_MASK_STANDARD_RIGHTS_ALL | DtypUtility.ACCESS_MASK_SPECIFIC_RIGHTS_ALL, ACE_FLAGS.None);
                SetSecurityDescriptorOnDynamicallyConfigurableShare(ace);
                shareName = dynamicallyConfigurableShareName;
            }
            else
            {
                shareName = "AzShare03";
            }

            bool result = AccessShare(shareName);

            BaseTestSite.Assert.IsFalse(result, "ACCESS_DENIED_ACE with user SID ({0}) exists in folder Security Descriptor. User should not be able to access the share.", DtypUtility.ToSddlString(sid));
        }
        public void SamrQuerySecurityObjectForAlias_OWNER_SECURITY_INFORMATION()
        {
            aliasTestPrerequisite();
            createAlias();

            Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject with OWNER_SECURITY_INFORMATION");
            _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;

            HRESULT result = _samrProtocolAdapter.SamrQuerySecurityObject(_aliasHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, out securityDescriptor);

            Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrQuerySecurityObject returns:{0}.", result);
            Site.Assert.IsNotNull(securityDescriptor, "The returned securityDescriptor should not be null.");
            _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);

            Site.Assert.IsNotNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is set, the client requests that the Owner member be returned.");
            Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned.");
            Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned.");
            Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
            Site.Assert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)sd.OwnerSid), "3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544).");
        }
        public void SamrQuerySecurityObject_User_GROUP_SECURITY_INFORMATION_NonDC()
        {
            ConnectAndOpenUser_NonDC(_samrProtocolAdapter.domainMemberFqdn, _samrProtocolAdapter.domainMemberFqdn,
                                     _samrProtocolAdapter.DMAdminName, out _userHandle, (uint)Common_ACCESS_MASK.READ_CONTROL);

            Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject with GROUP_SECURITY_INFORMATION");
            _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;

            HRESULT result = _samrProtocolAdapter.SamrQuerySecurityObject(_userHandle, SecurityInformation.GROUP_SECURITY_INFORMATION, out securityDescriptor);

            Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrQuerySecurityObject returns:{0}.", result);
            Site.Assert.IsNotNull(securityDescriptor, "The returned securityDescriptor should not be null.");
            _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);

            Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned.");
            Site.Assert.IsNotNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is set, the client requests that the Group member be returned.");
            Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned.");
            Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
            Site.Assert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)sd.GroupSid), "3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544).");
        }
        public void BVT_SharePermission_AccessAllow_UserSid()
        {
            _SID   sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name);
            string shareName;

            if (dynamicallyConfigurableShareExist)
            {
                object ace = DtypUtility.CreateAccessAllowedAce(sid, DtypUtility.ACCESS_MASK_STANDARD_RIGHTS_ALL | DtypUtility.ACCESS_MASK_SPECIFIC_RIGHTS_ALL, ACE_FLAGS.None);
                SetSecurityDescriptorOnDynamicallyConfigurableShare(ace);
                shareName = dynamicallyConfigurableShareName;
            }
            else
            {
                shareName = "AzShare01";
            }

            bool result = AccessShare(shareName);

            BaseTestSite.Assert.IsTrue(result, "ACCESS_ALLOWED_ACE with user SID ({0}) exists in folder Security Descriptor. User should be able to access the share.", DtypUtility.ToSddlString(sid));
        }
Пример #9
0
        public void SamrQuerySecurityObject_Group_DACL_SECURITY_INFORMATION_DomainAdminGroup()
        {
            ConnectAndOpenGroup(_samrProtocolAdapter.pdcFqdn, _samrProtocolAdapter.PrimaryDomainDnsName,
                                _samrProtocolAdapter.DomainAdminGroup, out _groupHandle, (uint)Common_ACCESS_MASK.READ_CONTROL);

            Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject with DACL_SECURITY_INFORMATION.");
            _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;

            HRESULT result = _samrProtocolAdapter.SamrQuerySecurityObject(_groupHandle, SecurityInformation.DACL_SECURITY_INFORMATION, out securityDescriptor);

            Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrQuerySecurityObject returns:{0}.", result);
            Site.Assert.IsNotNull(securityDescriptor, "The returned securityDescriptor should not be null.");
            _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);

            Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned.");
            Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned.");
            Site.Assert.IsNotNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is set, the client requests that the DACL be returned.");
            Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
            bool isAdminSidMatched = false;
            bool isWorldSidMatched = false;

            foreach (var ace in sd.Dacl.Value.Aces)
            {
                if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(AdministratorSid, StringComparison.InvariantCultureIgnoreCase))
                {
                    if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)Group_ACCESS_MASK.GROUP_ALL_ACCESS)
                    {
                        isAdminSidMatched = true;
                    }
                }
                if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(WorldSid, StringComparison.InvariantCultureIgnoreCase))
                {
                    if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(Group_ACCESS_MASK.GROUP_EXECUTE | Group_ACCESS_MASK.GROUP_READ))
                    {
                        isWorldSidMatched = true;
                    }
                }
            }
            Site.Assert.IsTrue(isAdminSidMatched, "3.1.5.12.2.1 if ObjectHandle.Object refers to a group or alias object that is the Domain Admins group or Administrators alias, or a member of Domain Admins or Administrators, the DACL MUST contain AdministratorSid:GROUP_ALL_ACCESS.");
            Site.Assert.IsTrue(isWorldSidMatched, "3.1.5.12.2.1 if ObjectHandle.Object refers to a group or alias object that is the Domain Admins group or Administrators alias, or a member of Domain Admins or Administrators, the DACL MUST contain WorldSid:GROUP_EXECUTE|GROUP_READ.");
        }
        public void SharePermission_AccessDeny_UserSidWithoutReadPermission()
        {
            _SID   sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name);
            string shareName;

            if (dynamicallyConfigurableShareExist)
            {
                object ace = DtypUtility.CreateAccessDeniedAce(sid, 0, ACE_FLAGS.None);
                SetSecurityDescriptorOnDynamicallyConfigurableShare(ace);
                shareName = dynamicallyConfigurableShareName;
            }
            else
            {
                shareName = "AzShare06";
            }

            BaseTestSite.Assert.IsFalse(
                AccessShare(shareName),
                "ACCESS_ALLOWED_ACE with user SID ({0}) without READ permission in folder Security Descriptor. User should not be able to access the share.",
                DtypUtility.ToSddlString(sid));
        }
Пример #11
0
        public void SamrQuerySecurityObject_INVALID_SECURITY_INFORMATION_Domain_NonDC()
        {
            HRESULT hResult;

            ConnectAndOpenDomain_NonDC(_samrProtocolAdapter.domainMemberFqdn, _samrProtocolAdapter.domainMemberFqdn,
                                       out _serverHandle, out _domainHandle, (uint)Common_ACCESS_MASK.READ_CONTROL);

            Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject, SecurityInformation: INVALID_SECURITY_INFORMATION.");
            _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;

            hResult = _samrProtocolAdapter.SamrQuerySecurityObject(_domainHandle, SecurityInformation.INVALID_SECURITY_INFORMATION, out securityDescriptor);

            Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "If there is not any valid bit in the SECURITY_INFORMATION, all other bits MUST be zero when sent and ignored on receipt.");

            _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);

            Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned.");
            Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned.");
            Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned.");
            Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
        }
Пример #12
0
        public void SharePermission_AccessAllow_GroupSid()
        {
            _SID   sid = sutCommonControlAdapterAccessor.GetGroupSid(azGroup01Name);
            string shareName;

            if (dynamicallyConfigurableShareExist)
            {
                object ace = DtypUtility.CreateAccessAllowedAce(sid, DtypUtility.ACCESS_MASK_STANDARD_RIGHTS_ALL | DtypUtility.ACCESS_MASK_SPECIFIC_RIGHTS_ALL, ACE_FLAGS.None);
                SetSecurityDescriptorOnDynamicallyConfigurableShare(ace);
                shareName = dynamicallyConfigurableShareName;
            }
            else
            {
                shareName = "AzShare02";
            }

            BaseTestSite.Assert.IsTrue(
                AccessShare(shareName),
                "ACCESS_ALLOWED_ACE with user's group SID ({0}) exists in share Security Descriptor. User should be able to access the share.",
                DtypUtility.ToSddlString(sid));
        }
        public void SharePermission_AccessDeny_GroupSid()
        {
            _SID   sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azGroup01Name);
            string shareName;

            if (dynamicallyConfigurableShareExist)
            {
                object ace = DtypUtility.CreateAccessDeniedAce(sid, DtypUtility.ACCESS_MASK_STANDARD_RIGHTS_ALL | DtypUtility.ACCESS_MASK_SPECIFIC_RIGHTS_ALL, ACE_FLAGS.None);
                SetSecurityDescriptorOnDynamicallyConfigurableShare(ace);
                shareName = dynamicallyConfigurableShareName;
            }
            else
            {
                shareName = "AzShare04";
            }

            BaseTestSite.Assert.IsFalse(
                AccessShare(shareName),
                "ACCESS_DENIED_ACE with user's group SID ({0}) exists in file Security Descriptor. User should be not able to access the share.",
                DtypUtility.ToSddlString(sid));
        }
        public void SamrGetDomainPasswordInformation_SUCCESS()
        {
            IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;

            Site.Log.Add(LogEntryKind.TestStep, "Initialize: Create Samr Bind to the server.");
            _samrProtocolAdapter.SamrBind(
                GetPdcDnsName(),
                _samrProtocolAdapter.primaryDomainFqdn,
                _samrProtocolAdapter.DomainAdministratorName,
                _samrProtocolAdapter.DomainUserPassword,
                false,
                true);

            _USER_DOMAIN_PASSWORD_INFORMATION passwordInformation;

            BaseTestSite.Log.Add(LogEntryKind.TestStep,
                                 string.Format("Invoke SamrGetUserDomainPasswordInformation."));
            HRESULT hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrGetDomainPasswordInformation(
                SAMRProtocolAdapter.RpcAdapter.Handle,
                DtypUtility.ToRpcUnicodeString(""),
                out passwordInformation);

            PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrGetUserDomainPasswordInformation returns success.");

            var attributes = Microsoft.Protocols.TestSuites.ActiveDirectory.Common.Utilities.GetAttributesFromEntry(
                _samrProtocolAdapter.primaryDomainDN,
                new string[] { "minPwdLength", "pwdProperties" },
                GetPdcDnsName(),
                _samrProtocolAdapter.ADDSPortNum);

            PtfAssert.AreEqual(
                (int)attributes["minPwdLength"],
                passwordInformation.MinPasswordLength,
                "[MS-SAMR] 3.1.5.13.3 The output parameter PasswordInformation.MinPasswordLength MUST be set to the minPwdLength attribute value on the account domain object.");

            PtfAssert.AreEqual(
                (uint)(int)attributes["pwdProperties"],
                passwordInformation.PasswordProperties,
                "[MS-SAMR] 3.1.5.13.3 The output parameter PasswordInformation.PasswordProperties MUST be set to the pwdProperties attribute value on the account domain object.");
        }
        public void SamrQuerySecurityObject_INVALID_SECURITY_INFORMATION_Domain()
        {
            HRESULT hResult;

            ConnectAndOpenDomain(_samrProtocolAdapter.PDCNetbiosName, _samrProtocolAdapter.PrimaryDomainDnsName,
                                 out _serverHandle, out _domainHandle);

            Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject, SecurityInformation: INVALID_SECURITY_INFORMATION.");
            _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;

            hResult = _samrProtocolAdapter.SamrQuerySecurityObject(_domainHandle, SecurityInformation.INVALID_SECURITY_INFORMATION, out securityDescriptor);

            // TDI?
            Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "The following bits are valid; all other bits MUST be zero when sent and ignored on receipt.");

            _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);

            Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned.");
            Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned.");
            Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned.");
            Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
        }
        public void SamrQuerySecurityObject_SACL_SECURITY_INFORMATION_Domain()
        {
            HRESULT hResult;

            ConnectAndOpenDomain(_samrProtocolAdapter.PDCNetbiosName, _samrProtocolAdapter.PrimaryDomainDnsName,
                                 out _serverHandle, out _domainHandle, (uint)Common_ACCESS_MASK.ACCESS_SYSTEM_SECURITY);

            Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject, SecurityInformation: SACL_SECURITY_INFORMATION.");
            _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;

            hResult = _samrProtocolAdapter.SamrQuerySecurityObject(_domainHandle, SecurityInformation.SACL_SECURITY_INFORMATION, out securityDescriptor);

            Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
            Site.Assert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");

            _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);

            Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned.");
            Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned.");
            Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned.");
            Site.Assert.IsNotNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is set, the client requests that the SACL be returned.");
        }
        public string GetGroupMembers(string groupName)
        {
            List <LdapEntry>   ldapGroupMembers = DtypUtility.GetGroupMembers(domainName, groupName, adminName, adminPassword);
            List <GroupMember> groupMembers     = new List <GroupMember>();

            foreach (LdapEntry groupEntry in ldapGroupMembers)
            {
                string      groupMemberName            = groupEntry.GetAttribute("name").StringValue;
                byte[]      groupMemberSidBinary       = groupEntry.GetAttribute("objectSid").ByteValue;
                string      groupMemberObjectClass     = groupEntry.GetAttribute("objectClass").StringValue;
                string      groupMemberPrincipalSource = "ActiveDirectory";
                _SID        groupMemberSid             = TypeMarshal.ToStruct <_SID>(groupMemberSidBinary);
                GroupMember groupMember = new GroupMember();
                groupMember.Name            = groupMemberName;
                groupMember.Sid             = groupMemberSid;
                groupMember.ObjectClass     = groupMemberObjectClass;
                groupMember.PrincipalSource = groupMemberPrincipalSource;
                groupMembers.Add(groupMember);
            }

            return(JsonSerializer.Serialize(groupMembers, serializerOptions));
        }
        /// <summary>
        /// Create the ace from thr binary input
        /// </summary>
        /// <param name="binary">The input binary</param>
        /// <param name="offset">The offset of the binary</param>
        public static _AceHeader CreateAceFromBinary(byte[] binary, int offset)
        {
            if (binary == null)
            {
                throw new ArgumentNullException(nameof(binary));
            }

            if (offset < 0 || offset > binary.Length - 1)
            {
                throw new ArgumentOutOfRangeException(nameof(offset));
            }

            ACE_TYPE type = (ACE_TYPE)binary[offset];

            if (DtypUtility.IsObjectAce(type))
            {
                return(new _ObjectAce(binary, offset));
            }
            else
            {
                return(new _NonObjectAce(binary, offset));
            }
        }
Пример #19
0
        protected void SetCap(string sharePath, _SID?capId)
        {
            _ACL sacl;

            if (capId != null)
            {
                _SYSTEM_SCOPED_POLICY_ID_ACE ace = DtypUtility.CreateSystemScopedPolicyIdAce(capId.Value);
                sacl = DtypUtility.CreateAcl(false, ace);
            }
            else
            {
                sacl = DtypUtility.CreateAcl(false);
            }

            _SECURITY_DESCRIPTOR sd = DtypUtility.CreateSecurityDescriptor(
                SECURITY_DESCRIPTOR_Control.SACLAutoInherited | SECURITY_DESCRIPTOR_Control.SACLInheritanceRequired |
                SECURITY_DESCRIPTOR_Control.SACLPresent | SECURITY_DESCRIPTOR_Control.SelfRelative,
                null,
                null,
                sacl,
                null);

            SetSecurityDescriptor(sharePath, null, sd, SET_INFO_Request_AdditionalInformation_Values.SCOPE_SECURITY_INFORMATION);
        }
        /// <summary>
        /// The constructor
        /// </summary>
        /// <param name="binary">The input binary</param>
        /// <param name="offset">The offset in the binary</param>
        public _ObjectAce(byte[] binary, int offset) : base(binary, offset)
        {
            int length = BitConverter.ToUInt16(binary, offset + 2);

            if (offset > binary.Length - length)
            {
                throw new ArgumentException(nameof(offset));
            }

            _AccessMask = BitConverter.ToInt32(binary, offset + DtypUtility.ACE_HEADER_LENGTH);
            ObjectFlags = (_ObjectAceFlags)BitConverter.ToInt32(binary, offset + DtypUtility.SHORT_FIXED_ACE_LENGTH);

            int pointer = DtypUtility.ACE_HEADER_LENGTH + DtypUtility.SHORT_FIXED_ACE_LENGTH;

            if (ObjectFlags.HasFlag(_ObjectAceFlags.ObjectAceTypePresent))
            {
                ObjectType = DtypUtility.ReadGuid(binary, offset + pointer);
                pointer   += 16;
            }
            if (ObjectFlags.HasFlag(_ObjectAceFlags.InheritedObjectAceTypePresent))
            {
                InheritedObjectType = DtypUtility.ReadGuid(binary, offset + pointer);
                pointer            += 16;
            }

            _SecurityIdentifier = new _SID(binary, offset + pointer);
            pointer            += _SecurityIdentifier.Size;

            int appDataLength = length - pointer;

            if (appDataLength > 0)
            {
                this.applicationData = new byte[appDataLength];
                Array.Copy(binary, offset + pointer, this.applicationData, 0, appDataLength);
            }
        }
        public void SamrQuerySecurityObject_Group_DACL_SECURITY_INFORMATION_Domain()
        {
            HRESULT hResult;

            ConnectAndOpenDomain(_samrProtocolAdapter.PDCNetbiosName, _samrProtocolAdapter.PrimaryDomainDnsName,
                                 out _serverHandle, out _domainHandle, (uint)Common_ACCESS_MASK.READ_CONTROL);

            Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject, SecurityInformation: GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION.");
            _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;

            hResult = _samrProtocolAdapter.SamrQuerySecurityObject(_domainHandle, SecurityInformation.GROUP_SECURITY_INFORMATION | SecurityInformation.DACL_SECURITY_INFORMATION, out securityDescriptor);

            Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
            Site.Assert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");

            _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);

            Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned.");
            Site.Assert.IsNotNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is set, the client requests that the Group member be returned.");
            Site.Assert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)sd.GroupSid), "3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544).");
            Site.Assert.IsNotNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is set, the client requests that the DACL be returned.");
            Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
            bool isAdminSidMatched           = false;
            bool isWorldSidMatched           = false;
            bool isAccountOperatorSidMatched = false;

            foreach (var ace in sd.Dacl.Value.Aces)
            {
                if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(AdministratorSid, StringComparison.InvariantCultureIgnoreCase))
                {
                    if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(DOMAIN_ACCESS_MASK.DOMAIN_ALL_ACCESS))
                    {
                        isAdminSidMatched = true;
                    }
                    else
                    {
                        Site.Log.Add(LogEntryKind.Debug, "The AdministratorSid's Access Mask is {0}.", ((_ACCESS_ALLOWED_ACE)ace).Mask);
                    }
                }
                if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(WorldSid, StringComparison.InvariantCultureIgnoreCase))
                {
                    if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(DOMAIN_ACCESS_MASK.DOMAIN_ALL_EXECUTE | DOMAIN_ACCESS_MASK.DOMAIN_READ))
                    {
                        isWorldSidMatched = true;
                    }
                    else
                    {
                        Site.Log.Add(LogEntryKind.Debug, "The WorldSid's Access Mask is {0}.", ((_ACCESS_ALLOWED_ACE)ace).Mask);
                    }
                }
                if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(AccountOperatorsSid, StringComparison.InvariantCultureIgnoreCase))
                {
                    if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(DOMAIN_ACCESS_MASK.DOMAIN_ALL_EXECUTE
                                                                  | DOMAIN_ACCESS_MASK.DOMAIN_READ
                                                                  | DOMAIN_ACCESS_MASK.DOMAIN_CREATE_USER
                                                                  | DOMAIN_ACCESS_MASK.DOMAIN_CREATE_GROUP
                                                                  | DOMAIN_ACCESS_MASK.DOMAIN_CREATE_ALIAS))
                    {
                        isAccountOperatorSidMatched = true;
                    }
                    else
                    {
                        Site.Log.Add(LogEntryKind.Debug, "The AccountOperatorSid's Access Mask is {0}.", ((_ACCESS_ALLOWED_ACE)ace).Mask);
                    }
                }
            }
            Site.Assert.IsTrue(isWorldSidMatched, "3.1.5.12.2.1 If ObjectHandle.Object refers to a domain object, the DACL MUST contain WorldSid:DOMAIN_EXECUTE | DOMAIN_READ.");
            Site.Assert.IsTrue(isAdminSidMatched, "3.1.5.12.2.1 If ObjectHandle.Object refers to a domain object, the DACL MUST contain AdministratorSid:DOMAIN_ALL_ACCESS.");
            Site.Assert.IsTrue(isAccountOperatorSidMatched,
                               "3.1.5.12.2.1 If ObjectHandle.Object refers to a domain object, the DACL MUST contain AccountOperatorSid:DOMAIN_EXECUTE | DOMAIN_READ | DOMAIN_CREATE_USER | DOMAIN_CREATE_GROUP | DOMAIN_CREATE_ALIAS.");
        }
        /// <summary>
        /// Create the binary from the buffer
        /// </summary>
        /// <param name="binary">The input binary</param>
        /// <param name="offset">The offset in the binary</param>
        public void GetBinaryForm(byte[] binary, int offset)
        {
            if (binary == null)
            {
                throw new ArgumentNullException(nameof(binary));
            }

            int binaryLength = Size;

            if (offset < 0 || offset > binary.Length - binaryLength)
            {
                throw new ArgumentOutOfRangeException(nameof(offset));
            }

            SECURITY_DESCRIPTOR_Control controlFlags = this.controlFlags;

            binary[offset]     = 1; //revision
            binary[offset + 1] = 0; //Sbz1
            DtypUtility.WriteUInt16ToByteArray((ushort)controlFlags, binary, offset + 2);

            int pointer = DtypUtility.SECURITY_DESCRIPTOR_FIXED_LENGTH;

            if (Owner != null)
            {
                DtypUtility.WriteInt32ToByteArray(pointer, binary, offset + 4);
                Owner.Value.GetBinaryForm(binary, offset + pointer);
                pointer += Owner.Value.Size;
            }
            else
            {
                DtypUtility.WriteInt32ToByteArray(0, binary, offset + 4);
            }

            if (Group != null)
            {
                DtypUtility.WriteInt32ToByteArray(pointer, binary, offset + 8);
                Group.Value.GetBinaryForm(binary, offset + pointer);
                pointer += Group.Value.Size;
            }
            else
            {
                DtypUtility.WriteInt32ToByteArray(0, binary, offset + 8);
            }

            _RawAcl sacl = this.SACL;

            if (this.controlFlags.HasFlag(SECURITY_DESCRIPTOR_Control.SACLPresent))
            {
                DtypUtility.WriteInt32ToByteArray(pointer, binary, offset + 12);
                sacl.GetBinaryForm(binary, offset + pointer);
                pointer += this.SACL.Size;
            }
            else
            {
                DtypUtility.WriteInt32ToByteArray(0, binary, offset + 12);
            }

            _RawAcl dacl = this.DACL;

            if (this.controlFlags.HasFlag(SECURITY_DESCRIPTOR_Control.DACLPresent))
            {
                DtypUtility.WriteInt32ToByteArray(pointer, binary, offset + 16);
                dacl.GetBinaryForm(binary, offset + pointer);
                pointer += this.DACL.Size;
            }
            else
            {
                DtypUtility.WriteInt32ToByteArray(0, binary, offset + 16);
            }
        }
        public void SharePermission_CreateClose_DeleteFile_MaximalAccessNotIncludeDeleteOrGenericAll()
        {
            _SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name);

            if (!dynamicallyConfigurableShareExist)
            {
                BaseTestSite.Assert.Inconclusive("Required share: {0} does not exist!", dynamicallyConfigurableShareName);
            }
            object ace = DtypUtility.CreateAccessAllowedAce(sid, (DtypUtility.ACCESS_MASK_STANDARD_RIGHTS_ALL | DtypUtility.ACCESS_MASK_SPECIFIC_RIGHTS_ALL) & ~DtypUtility.ACCESS_MASK_DELETE, ACE_FLAGS.None);

            SetSecurityDescriptorOnDynamicallyConfigurableShare(ace);
            string shareName    = dynamicallyConfigurableShareName;
            string shareUncPath = Smb2Utility.GetUncPath(TestConfig.SutComputerName, shareName);

            Smb2FunctionalClient client = new Smb2FunctionalClient(TestConfig.Timeout, TestConfig, BaseTestSite);

            client.ConnectToServer(TestConfig.UnderlyingTransport, TestConfig.SutComputerName, TestConfig.SutIPAddress);
            AccountCredential user = new AccountCredential(TestConfig.DomainName, azUser01Name, TestConfig.UserPassword);

            try
            {
                BaseTestSite.Log.Add(LogEntryKind.Debug, "Client sends NEGOTIATE message.");
                client.Negotiate(TestConfig.RequestDialects, TestConfig.IsSMB1NegotiateEnabled);
                BaseTestSite.Log.Add(LogEntryKind.Debug, "Client sends SESSION_SETUP message using account: {0}@{1}.", user.AccountName, user.DomainName);
                client.SessionSetup(TestConfig.DefaultSecurityPackage, TestConfig.SutComputerName, user, false);

                uint treeId;
                BaseTestSite.Log.Add(LogEntryKind.Debug, "Client sends TREE_CONNECT message to access share: {0}.", shareUncPath);
                client.TreeConnect(shareUncPath, out treeId, checker: (header, response) =>
                {
                    BaseTestSite.Assert.IsTrue((response.MaximalAccess.ACCESS_MASK & (DtypUtility.ACCESS_MASK_DELETE | DtypUtility.ACCESS_MASK_GENERIC_ALL)) == 0,
                                               "Treeconnect.MaximalAccess does not include DELETE or GENERIC_ALL.");
                });

                string fileName = GetTestFileName(shareUncPath);
                FILEID fileId;
                Smb2CreateContextResponse[] createContexResponse;
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create the file: {0}", fileName);
                BaseTestSite.Log.Add(LogEntryKind.Debug, "Client sends CREATE request.");
                uint status = client.Create(
                    treeId,
                    fileName,
                    CreateOptions_Values.FILE_NON_DIRECTORY_FILE,
                    out fileId,
                    out createContexResponse,
                    accessMask: AccessMask.FILE_READ_DATA | AccessMask.FILE_WRITE_DATA | AccessMask.FILE_APPEND_DATA |
                    AccessMask.FILE_READ_ATTRIBUTES | AccessMask.FILE_READ_EA | AccessMask.FILE_WRITE_ATTRIBUTES |
                    AccessMask.FILE_WRITE_EA | AccessMask.READ_CONTROL | AccessMask.WRITE_DAC | AccessMask.SYNCHRONIZE, // Windows client behavior
                    shareAccess: ShareAccess_Values.NONE,
                    createDisposition: CreateDisposition_Values.FILE_CREATE);
                client.Close(treeId, fileId);

                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Delete the file: {0}", fileName);
                BaseTestSite.Log.Add(LogEntryKind.Debug, "Client sends CREATE request with FILE_DELETE_ON_CLOSE flag set in CreateOptions .");
                status = client.Create(
                    treeId,
                    fileName,
                    CreateOptions_Values.FILE_NON_DIRECTORY_FILE | CreateOptions_Values.FILE_DELETE_ON_CLOSE,
                    out fileId,
                    out createContexResponse,
                    accessMask: AccessMask.DELETE | AccessMask.FILE_READ_ATTRIBUTES | AccessMask.SYNCHRONIZE, // Windows client behavior
                    shareAccess: ShareAccess_Values.FILE_SHARE_DELETE,
                    createDisposition: CreateDisposition_Values.FILE_OPEN,
                    checker: (header, response) =>
                {
                    if (TestConfig.Platform == Platform.NonWindows)
                    {
                        BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, header.Status,
                                                        "If the FILE_DELETE_ON_CLOSE flag is set in CreateOptions and " +
                                                        "Treeconnect.MaximalAccess does not include DELETE or GENERIC_ALL, " +
                                                        "the server SHOULD fail the request with STATUS_ACCESS_DENIED");
                    }
                    else
                    {
                        BaseTestSite.Assert.AreEqual(Smb2Status.STATUS_ACCESS_DENIED, header.Status,
                                                     "If the FILE_DELETE_ON_CLOSE flag is set in CreateOptions and " +
                                                     "Treeconnect.MaximalAccess does not include DELETE or GENERIC_ALL, " +
                                                     "the server SHOULD fail the request with STATUS_ACCESS_DENIED");
                    }
                });

                client.TreeDisconnect(treeId);
                client.LogOff();
            }
            catch (Exception e)
            {
                BaseTestSite.Assert.Fail("Case failed due to: {0}", e.Message);
            }
            finally
            {
                client.Disconnect();
            }
        }
Пример #24
0
        protected override void TestInitialize()
        {
            base.TestInitialize();
            if (FilePermissionTestShareUncPath == null)
            {
                FilePermissionTestShareUncPath = Smb2Utility.GetUncPath(testConfig.SutComputerName, TestConfig.FilePermissionTestShare);
                FilePermissionTestShareExist   = ShareExists(TestConfig.AccountCredential, FilePermissionTestShareUncPath);
            }
            if (!FilePermissionTestShareExist)
            {
                BaseTestSite.Assert.Inconclusive("Required share does not exist: {0}", FilePermissionTestShareUncPath);
            }

            tempFileName = GetTestFileName(FilePermissionTestShareUncPath);
            CreateNewFile(FilePermissionTestShareUncPath, tempFileName);
            baseSD = QuerySecurityDescriptor(FilePermissionTestShareUncPath, tempFileName,
                                             AdditionalInformation_Values.DACL_SECURITY_INFORMATION |
                                             AdditionalInformation_Values.GROUP_SECURITY_INFORMATION |
                                             AdditionalInformation_Values.OWNER_SECURITY_INFORMATION);
            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Original Security Descriptor of the file ({0}): {1}",
                                 Smb2Utility.GetUncPath(TestConfig.SutComputerName, TestConfig.FilePermissionTestShare, tempFileName), DtypUtility.ToSddlString(baseSD));
            client = new Smb2FunctionalClient(TestConfig.Timeout, TestConfig, BaseTestSite);
            client.ConnectToServer(TestConfig.UnderlyingTransport, TestConfig.SutComputerName, TestConfig.SutIPAddress);
        }
Пример #25
0
        private void SetSecurityDescriptorOnFile(object ace)
        {
            _ACL oriAcl = baseSD.Dacl.Value;

            DtypUtility.AddAceToAcl(ref oriAcl, true, ace);
            baseSD.Dacl = oriAcl;
            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Set Security Descriptor on the temp file ({0}): {1}.", FilePermissionTestShareUncPath, DtypUtility.ToSddlString(baseSD));
            SetSecurityDescriptor(FilePermissionTestShareUncPath, tempFileName, baseSD, SET_INFO_Request_AdditionalInformation_Values.DACL_SECURITY_INFORMATION);
        }
 /// <summary>
 /// Construct _SID from SDDL string.
 /// </summary>
 /// <param name="sddl">SDDL string to convert.</param>
 public _SID(string sddl)
 {
     this = DtypUtility.ToSid(sddl);
 }
Пример #27
0
        public _SecurityIdentifier(string sddl)
        {
            _SID sid = DtypUtility.ToSid(sddl);

            this.buffer = TypeMarshal.ToBytes <_SID>(sid);
        }
        public string GetGroupSid(string groupName)
        {
            _SID sid = DtypUtility.GetSidFromGroupName(domainName, groupName, adminName, adminPassword);

            return(sid.GetSddlForm());
        }
Пример #29
0
        public void SamrQuerySecurityObject_Server_DACL_NonDC()
        {
            HRESULT  hResult;
            IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;

            Site.Log.Add(LogEntryKind.TestStep,
                         string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
                                       _samrProtocolAdapter.domainMemberFqdn,
                                       _samrProtocolAdapter.domainMemberNetBIOSName,
                                       _samrProtocolAdapter.DMAdminName,
                                       _samrProtocolAdapter.DMAdminPassword));
            _samrProtocolAdapter.SamrBind(
                _samrProtocolAdapter.domainMemberFqdn,
                _samrProtocolAdapter.domainMemberNetBIOSName,
                _samrProtocolAdapter.DMAdminName,
                _samrProtocolAdapter.DMAdminPassword,
                false,
                false);
            Site.Log.Add(LogEntryKind.TestStep,
                         string.Format("SamrConnect5, Server:{0}, Desired Access: READ_CONTROL.", _samrProtocolAdapter.domainMemberFqdn));
            hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5(
                _samrProtocolAdapter.domainMemberFqdn,
                (uint)COMMON_ACCESS_MASK.READ_CONTROL,
                out _serverHandle);
            PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS.");

            Site.Log.Add(LogEntryKind.TestStep,
                         "SamrQuerySecurityObject, SecurityInformation: DACL_SECURITY_INFORMATION.");
            _SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;

            hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrQuerySecurityObject(
                _serverHandle,
                SamrQuerySecurityObject_SecurityInformation_Values.DACL_SECURITY_INFORMATION,
                out securityDescriptor);
            PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
            PtfAssert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");
            _SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);

            PtfAssert.IsNotNull(sd.Dacl,
                                "[MS-SAMR] 3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is set, the client requests that the DACL be returned.");
            PtfAssert.IsNull(sd.OwnerSid,
                             "[MS-SAMR] 3.1.5.12.2 The field(OwnerSid) of the security descriptor is not returned and is set to zero.");
            PtfAssert.IsNull(sd.GroupSid,
                             "[MS-SAMR] 3.1.5.12.2 The field(GroupSid) of the security descriptor is not returned and is set to zero.");
            PtfAssert.IsNull(sd.Sacl,
                             "[MS-SAMR] 3.1.5.12.2 The field(SACL) of the security descriptor is not returned and is set to zero.");

            Site.Log.Add(LogEntryKind.TestStep,
                         "Verifies that the DACL returned from the server contains the following ACEs: WorldSid(SAM_SERVER_EXECUTE | SAM_SERVER_READ), AdministratorSid(SAM_SERVER_ALL_ACCESS");
            bool worldSidFound = false;
            uint worldSidMask  = 0;
            bool adminSidFound = false;
            uint adminSidMask  = 0;

            foreach (var o in sd.Dacl.Value.Aces)
            {
                if (!(o is Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE))
                {
                    continue;
                }
                Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE ace = (Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE)o;
                switch (DtypUtility.ToSddlString(ace.Sid))
                {
                case AdministratorSid:
                    adminSidFound = true;
                    adminSidMask  = ace.Mask;
                    break;

                case WorldSid:
                    worldSidFound = true;
                    worldSidMask  = ace.Mask;
                    break;
                }
            }
            PtfAssert.IsTrue(worldSidFound,
                             "[MS-SAMR] 3.1.5.12.2 If ObjectHandle.Object refers to the server object, the DACL MUST contain the following ACE. WorldSid");
            PtfAssert.AreEqual(SERVER_ACCESS_MASK.SAM_SERVER_EXECUTE | SERVER_ACCESS_MASK.SAM_SERVER_READ, (SERVER_ACCESS_MASK)worldSidMask,
                               "The access mask of WorldSid is SAM_SERVER_EXECUTE|SAM_SERVER_READ.");
            PtfAssert.IsTrue(adminSidFound,
                             "[MS-SAMR] 3.1.5.12.2 If ObjectHandle.Object refers to the server object, the DACL MUST contain the following ACE. AdministratorSid");
            PtfAssert.AreEqual(SERVER_ACCESS_MASK.SAM_SERVER_ALL_ACCESS, (SERVER_ACCESS_MASK)adminSidMask,
                               "The access mask of AdministratorSid is SAM_SERVER_ALL_ACCESS.");
        }
        public string GetUserSid(string userName)
        {
            _SID sid = DtypUtility.GetSidFromAccount(domainName, userName, adminName, adminPassword);

            return(sid.GetSddlForm());
        }