|
|
/*++
Copyright (c) 1991-1996 Microsoft Corporation
Module Name:
nlsecure.c
Abstract:
This module contains the Netlogon service support routines which create security objects and enforce security _access checking.
Author:
Cliff Van Dyke (CliffV) 22-Aug-1991
Revision History:
--*/
#include "logonsrv.h" // Include files common to entire service
#pragma hdrstop
//
// Include nlsecure.h again allocating the actual variables
// this time around.
//
#define NLSECURE_ALLOCATE
#include "nlsecure.h"
#undef NLSECURE_ALLOCATE
�NTSTATUSNlCreateNetlogonObjects( VOID )/*++
Routine Description:
This function creates the workstation user-mode objects which are represented by security descriptors.
Arguments:
None.
Return Value:
NT status code
--*/{ NTSTATUS Status;
//
// Order matters! These ACEs are inserted into the DACL in the
// following order. Security access is granted or denied based on
// the order of the ACEs in the DACL.
//
//
// Members of Group SECURITY_LOCAL aren't allowed to do a UAS logon
// to force it to be done remotely.
//
ACE_DATA AceData[] = {
{ACCESS_DENIED_ACE_TYPE, 0, 0, NETLOGON_UAS_LOGON_ACCESS | NETLOGON_UAS_LOGOFF_ACCESS, &LocalSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0, GENERIC_ALL, &AliasAdminsSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0, NETLOGON_CONTROL_ACCESS, &AliasAccountOpsSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0, NETLOGON_CONTROL_ACCESS, &AliasSystemOpsSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0, NETLOGON_CONTROL_ACCESS | NETLOGON_SERVICE_ACCESS, &LocalSystemSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0, NETLOGON_SERVICE_ACCESS, &LocalServiceSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0, NETLOGON_FTINFO_ACCESS, &AuthenticatedUserSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0, NETLOGON_UAS_LOGON_ACCESS | NETLOGON_UAS_LOGOFF_ACCESS | NETLOGON_QUERY_ACCESS, &WorldSid} };
//
// Actually create the security descriptor.
//
Status = NetpCreateSecurityObject( AceData, sizeof(AceData)/sizeof(AceData[0]), AliasAdminsSid, AliasAdminsSid, &NlGlobalNetlogonInfoMapping, &NlGlobalNetlogonSecurityDescriptor );
return Status;
}
|
