/*++ Copyright (c) 1991 Microsoft Corporation Module Name: nlsecure.c Abstract: This module contains the Netlogon service support routines which create security objects and enforce security _access checking. Author: Cliff Van Dyke (CliffV) 22-Aug-1991 Revision History: --*/ #include #include #include #include #include #define NLSECURE_ALLOCATE // Force globals to be allocated #include "nlsecure.h" NTSTATUS NlCreateNetlogonObjects( VOID ) /*++ Routine Description: This function creates the workstation user-mode objects which are represented by security descriptors. Arguments: None. Return Value: NT status code --*/ { NTSTATUS Status; // // Order matters! These ACEs are inserted into the DACL in the // following order. Security access is granted or denied based on // the order of the ACEs in the DACL. // // // Members of Group SECURITY_LOCAL aren't allowed to do a UAS logon // to force it to be done remotely. // ACE_DATA AceData[] = { {ACCESS_DENIED_ACE_TYPE, 0, 0, NETLOGON_UAS_LOGON_ACCESS | NETLOGON_UAS_LOGOFF_ACCESS, &LocalSid}, {ACCESS_ALLOWED_ACE_TYPE, 0, 0, GENERIC_ALL, &AliasAdminsSid}, {ACCESS_ALLOWED_ACE_TYPE, 0, 0, NETLOGON_CONTROL_ACCESS, &AliasAccountOpsSid}, {ACCESS_ALLOWED_ACE_TYPE, 0, 0, NETLOGON_CONTROL_ACCESS, &AliasSystemOpsSid}, {ACCESS_ALLOWED_ACE_TYPE, 0, 0, NETLOGON_UAS_LOGON_ACCESS | NETLOGON_UAS_LOGOFF_ACCESS | NETLOGON_QUERY_ACCESS, &WorldSid} }; // // Actually create the security descriptor. // Status = NetpCreateSecurityObject( AceData, sizeof(AceData)/sizeof(AceData[0]), LocalSystemSid, LocalSystemSid, &NlGlobalNetlogonInfoMapping, &NlGlobalNetlogonSecurityDescriptor ); return Status; }