/*++
Copyright (c) 1991 Microsoft Corporation
Module Name:
nlsecure.c
Abstract:
This module contains the Netlogon service support routines
which create security objects and enforce security _access checking.
Author:
Cliff Van Dyke (CliffV) 22-Aug-1991
Revision History:
--*/
#include <nt.h>
#include <windef.h>
#include <lmcons.h>
#include <secobj.h>
#include <logonsrv.h>
#define NLSECURE_ALLOCATE // Force globals to be allocated
#include "nlsecure.h"
�
NTSTATUS
NlCreateNetlogonObjects(
VOID
)
/*++
Routine Description:
This function creates the workstation user-mode objects which are
represented by security descriptors.
Arguments:
None.
Return Value:
NT status code
--*/
{
NTSTATUS Status;
//
// Order matters! These ACEs are inserted into the DACL in the
// following order. Security access is granted or denied based on
// the order of the ACEs in the DACL.
//
//
// Members of Group SECURITY_LOCAL aren't allowed to do a UAS logon
// to force it to be done remotely.
//
ACE_DATA AceData[] = {
{ACCESS_DENIED_ACE_TYPE, 0, 0,
NETLOGON_UAS_LOGON_ACCESS |
NETLOGON_UAS_LOGOFF_ACCESS,
&LocalSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
GENERIC_ALL, &AliasAdminsSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
NETLOGON_CONTROL_ACCESS, &AliasAccountOpsSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
NETLOGON_CONTROL_ACCESS, &AliasSystemOpsSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
NETLOGON_UAS_LOGON_ACCESS |
NETLOGON_UAS_LOGOFF_ACCESS |
NETLOGON_QUERY_ACCESS, &WorldSid}
};
//
// Actually create the security descriptor.
//
Status = NetpCreateSecurityObject(
AceData,
sizeof(AceData)/sizeof(AceData[0]),
LocalSystemSid,
LocalSystemSid,
&NlGlobalNetlogonInfoMapping,
&NlGlobalNetlogonSecurityDescriptor );
return Status;
}