archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/ds/security/base/lsa/server/policy.cxx

530 lines
14 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+-----------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (c) Microsoft Corporation 1992 - 1994
  6. //
  7. // File: policy.cxx
  8. //
  9. // Contents: SpmBuildCairoToken
  10. //
  11. //
  12. // History: 23-May-1994 MikeSw Created
  13. //
  14. //------------------------------------------------------------------------
  16. #include <lsapch.hxx>
  17. extern "C"
  18. {
  19. #include "adtp.h"
  20. }
  23. //+-------------------------------------------------------------------------
  24. //
  25. // Function: LsapCreateToken
  26. //
  27. // Synopsis: Builds a token from the various pieces of information
  28. // generated during a logon.
  29. //
  30. // Effects:
  31. //
  32. // Arguments: pUserSid - sid of user to create token for
  33. // pTokenGroups - groups passed in to LogonUser or from PAC to
  34. // be put in token
  35. // pTokenPrivs - privileges from PAC to put in token
  36. // TokenType - type of token to create
  37. // pTokenSource - source of the token
  38. // pLogonId - Gets logon ID
  39. // phToken - Get handle to token
  40. //
  41. // Requires:
  42. //
  43. // Returns:
  44. //
  45. // Notes: TokenInformation is always freed, even on failure.
  46. //
  47. //
  48. //--------------------------------------------------------------------------
  51. NTSTATUS NTAPI
  52. LsapCreateToken(
  53. IN PLUID LogonId,
  54. IN PTOKEN_SOURCE TokenSource,
  55. IN SECURITY_LOGON_TYPE LogonType,
  56. IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
  57. IN LSA_TOKEN_INFORMATION_TYPE InputTokenInformationType,
  58. IN PVOID InputTokenInformation,
  59. IN PTOKEN_GROUPS LocalGroups,
  60. IN PUNICODE_STRING AccountName,
  61. IN PUNICODE_STRING AuthorityName,
  62. IN PUNICODE_STRING WorkstationName,
  63. IN OPTIONAL PUNICODE_STRING ProfilePath,
  64. OUT PHANDLE Token,
  65. OUT PNTSTATUS SubStatus
  66. )
  67. {
  68. SECPKG_PRIMARY_CRED PrimaryCredential;
  70. ZeroMemory( &PrimaryCredential, sizeof(PrimaryCredential) );
  73. if( AccountName != NULL )
  74. {
  75. PrimaryCredential.DownlevelName = *AccountName;
  76. }
  78. if( AuthorityName != NULL )
  79. {
  80. PrimaryCredential.DomainName = *AuthorityName;
  81. }
  83. return LsapCreateTokenEx(
  84. LogonId,
  85. TokenSource,
  86. LogonType,
  87. ImpersonationLevel,
  88. InputTokenInformationType,
  89. InputTokenInformation,
  90. LocalGroups,
  91. WorkstationName,
  92. ProfilePath,
  93. &PrimaryCredential,
  94. SecSessionPrimaryCred,
  95. Token,
  96. SubStatus
  97. );
  99. }
  101. //+-------------------------------------------------------------------------
  102. //
  103. // Function: LsapCreateTokenEx
  104. //
  105. // Synopsis: Builds a token from the various pieces of information
  106. // generated during a logon.
  107. //
  108. // Effects:
  109. //
  110. // Arguments: pUserSid - sid of user to create token for
  111. // pTokenGroups - groups passed in to LogonUser or from PAC to
  112. // be put in token
  113. // pTokenPrivs - privileges from PAC to put in token
  114. // TokenType - type of token to create
  115. // pTokenSource - source of the token
  116. // pLogonId - Gets logon ID
  117. // phToken - Get handle to token
  118. //
  119. // Requires:
  120. //
  121. // Returns:
  122. //
  123. // Notes: TokenInformation is always freed, even on failure.
  124. //
  125. //
  126. //--------------------------------------------------------------------------
  129. NTSTATUS NTAPI
  130. LsapCreateTokenEx(
  131. IN PLUID LogonId,
  132. IN PTOKEN_SOURCE TokenSource,
  133. IN SECURITY_LOGON_TYPE LogonType,
  134. IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
  135. IN LSA_TOKEN_INFORMATION_TYPE InputTokenInformationType,
  136. IN PVOID InputTokenInformation,
  137. IN PTOKEN_GROUPS LocalGroups,
  138. IN PUNICODE_STRING WorkstationName,
  139. IN PUNICODE_STRING ProfilePath,
  140. IN PVOID SessionInformation,
  141. IN SECPKG_SESSIONINFO_TYPE SessionInformationType,
  142. OUT PHANDLE Token,
  143. OUT PNTSTATUS SubStatus
  144. )
  145. {
  146. NTSTATUS Status;
  147. PPRIVILEGE_SET PrivilegesAssigned = NULL;
  148. PLSA_TOKEN_INFORMATION_V2 TokenInformationV2 = NULL;
  149. PLSA_TOKEN_INFORMATION_NULL TokenInformationNull = NULL;
  150. LSA_TOKEN_INFORMATION_TYPE OriginalTokenType = InputTokenInformationType;
  151. QUOTA_LIMITS QuotaLimits;
  152. PUNICODE_STRING NewAccountName = NULL;
  153. PUNICODE_STRING NewAuthorityName = NULL;
  154. PUNICODE_STRING NewProfilePath = NULL;
  155. UNICODE_STRING LocalAccountName = { 0 };
  156. UNICODE_STRING LocalAuthorityName = { 0 };
  157. UNICODE_STRING LocalProfilePath = { 0 };
  158. PSID NewUserSid = NULL;
  159. LSA_TOKEN_INFORMATION_TYPE TokenInformationType = InputTokenInformationType;
  160. PVOID TokenInformation = InputTokenInformation;
  162. PSECPKG_PRIMARY_CRED PrimaryCredential;
  163. PUNICODE_STRING AccountName;
  164. PUNICODE_STRING AuthorityName;
  167. *Token = NULL;
  168. *SubStatus = STATUS_SUCCESS;
  170. if( SessionInformationType != SecSessionPrimaryCred )
  171. {
  172. return STATUS_INVALID_PARAMETER;
  173. }
  175. PrimaryCredential = (PSECPKG_PRIMARY_CRED)SessionInformation;
  177. AccountName = &PrimaryCredential->DownlevelName;
  178. AuthorityName = &PrimaryCredential->DomainName;
  180. //
  181. // Pass the token information through the Local Security Policy
  182. // Filter/Augmentor. This may cause some or all of the token
  183. // information to be replaced/augmented.
  184. //
  186. Status = LsapAuUserLogonPolicyFilter(
  187. LogonType,
  188. &TokenInformationType,
  189. &TokenInformation,
  190. LocalGroups,
  191. &QuotaLimits,
  192. &PrivilegesAssigned,
  193. FALSE
  194. );
  199. if ( !NT_SUCCESS(Status) ) {
  201. goto Cleanup;
  202. }
  204. //
  205. // Check if we only allow admins to logon. We do allow null session
  206. // connections since they are severly restricted, though. Since the
  207. // token type may have been changed, we use the token type originally
  208. // returned by the package.
  209. //
  211. if (LsapAllowAdminLogonsOnly &&
  212. ((OriginalTokenType == LsaTokenInformationV1) ||
  213. (OriginalTokenType == LsaTokenInformationV2))&&
  214. !LsapSidPresentInGroups(
  215. ((PLSA_TOKEN_INFORMATION_V2) TokenInformation)->Groups,
  216. (SID *)LsapAliasAdminsSid)) {
  218. //
  219. // Set the status to be invalid workstation, since all accounts
  220. // except administrative ones are locked out for this
  221. // workstation.
  222. //
  224. *SubStatus = STATUS_INVALID_WORKSTATION;
  225. Status = STATUS_ACCOUNT_RESTRICTION;
  226. goto Cleanup;
  227. }
  229. //
  230. // Case on the token information returned (and subsequently massaged)
  231. // to create the correct kind of token.
  232. //
  234. switch (TokenInformationType) {
  236. case LsaTokenInformationNull:
  238. TokenInformationNull = (PLSA_TOKEN_INFORMATION_NULL) TokenInformation;
  240. //
  241. // The user hasn't logged on to any particular account.
  242. // An impersonation token with WORLD as owner
  243. // will be created.
  244. //
  247. Status = LsapCreateNullToken(
  248. LogonId,
  249. TokenSource,
  250. TokenInformationNull,
  251. Token
  252. );
  254. if ( !NT_SUCCESS(Status) ) {
  255. goto Cleanup;
  256. }
  259. break;
  264. case LsaTokenInformationV1:
  265. case LsaTokenInformationV2:
  267. TokenInformationV2 = (PLSA_TOKEN_INFORMATION_V2) TokenInformation;
  269. //
  270. // the type of token created depends upon the type of logon
  271. // being requested:
  272. //
  273. // InteractiveLogon => PrimaryToken
  274. // BatchLogon => PrimaryToken
  275. // NetworkLogon => ImpersonationToken
  276. //
  278. if (LogonType != Network) {
  280. //
  281. // Primary token
  282. //
  284. Status = LsapCreateV2Token(
  285. LogonId,
  286. TokenSource,
  287. TokenInformationV2,
  288. TokenPrimary,
  289. ImpersonationLevel,
  290. Token
  291. );
  293. if ( !NT_SUCCESS(Status) ) {
  294. goto Cleanup;
  295. }
  298. } else {
  300. //
  301. // Impersonation token
  302. //
  304. Status = LsapCreateV2Token(
  305. LogonId,
  306. TokenSource,
  307. TokenInformationV2,
  308. TokenImpersonation,
  309. ImpersonationLevel,
  310. Token
  311. );
  313. if ( !NT_SUCCESS(Status) ) {
  314. goto Cleanup;
  315. }
  318. }
  320. //
  321. // Copy out the User Sid
  322. //
  324. Status = LsapDuplicateSid( &NewUserSid, TokenInformationV2->User.User.Sid );
  326. if ( !NT_SUCCESS( Status )) {
  327. goto Cleanup;
  328. }
  330. break;
  332. }
  334. //
  335. // Audit special privilege assignment, if there were any
  336. //
  338. if ( PrivilegesAssigned != NULL ) {
  340. //
  341. // Examine the list of privileges being assigned, and
  342. // audit special privileges as appropriate.
  343. //
  345. LsapAdtAuditSpecialPrivileges( PrivilegesAssigned, *LogonId, NewUserSid );
  347. }
  350. NewAccountName = &LocalAccountName ;
  351. NewAuthorityName = &LocalAuthorityName ;
  354. //
  355. // If the original was a null session, set the user name & domain name
  356. // to be anonymous.
  357. //
  359. if (OriginalTokenType == LsaTokenInformationNull)
  360. {
  361. NewAccountName->Buffer = (LPWSTR) LsapAllocateLsaHeap(WellKnownSids[LsapAnonymousSidIndex].Name.MaximumLength);
  362. if (NewAccountName->Buffer == NULL)
  363. {
  364. Status = STATUS_INSUFFICIENT_RESOURCES;
  365. goto Cleanup;
  366. }
  367. NewAccountName->MaximumLength = WellKnownSids[LsapAnonymousSidIndex].Name.MaximumLength;
  368. RtlCopyUnicodeString(
  369. NewAccountName,
  370. &WellKnownSids[LsapAnonymousSidIndex].Name
  371. );
  373. NewAuthorityName->Buffer = (LPWSTR) LsapAllocateLsaHeap(WellKnownSids[LsapAnonymousSidIndex].DomainName.MaximumLength);
  374. if (NewAuthorityName->Buffer == NULL)
  375. {
  376. Status = STATUS_INSUFFICIENT_RESOURCES;
  377. goto Cleanup;
  378. }
  379. NewAuthorityName->MaximumLength = WellKnownSids[LsapAnonymousSidIndex].DomainName.MaximumLength;
  380. RtlCopyUnicodeString(
  381. NewAuthorityName,
  382. &WellKnownSids[LsapAnonymousSidIndex].DomainName
  383. );
  385. }
  386. else
  387. {
  388. NewAccountName->Buffer = (LPWSTR) LsapAllocateLsaHeap(AccountName->MaximumLength);
  389. if (NewAccountName->Buffer == NULL)
  390. {
  391. Status = STATUS_INSUFFICIENT_RESOURCES;
  392. goto Cleanup;
  393. }
  394. NewAccountName->MaximumLength = AccountName->MaximumLength;
  395. RtlCopyUnicodeString(
  396. NewAccountName,
  397. AccountName
  398. );
  400. NewAuthorityName->Buffer = (LPWSTR) LsapAllocateLsaHeap(AuthorityName->MaximumLength);
  401. if (NewAuthorityName->Buffer == NULL)
  402. {
  403. Status = STATUS_INSUFFICIENT_RESOURCES;
  404. goto Cleanup;
  405. }
  406. NewAuthorityName->MaximumLength = AuthorityName->MaximumLength;
  407. RtlCopyUnicodeString(
  408. NewAuthorityName,
  409. AuthorityName
  410. );
  412. if (ARGUMENT_PRESENT(ProfilePath) ) {
  413. NewProfilePath = &LocalProfilePath ;
  415. NewProfilePath->Buffer = (LPWSTR) LsapAllocateLsaHeap(ProfilePath->MaximumLength);
  416. if (NewProfilePath->Buffer == NULL)
  417. {
  418. Status = STATUS_INSUFFICIENT_RESOURCES;
  419. goto Cleanup;
  420. }
  421. NewProfilePath->MaximumLength = ProfilePath->MaximumLength;
  422. RtlCopyUnicodeString(
  423. NewProfilePath,
  424. ProfilePath
  425. );
  427. }
  428. }
  431. Status = LsapSetLogonSessionAccountInfo(
  432. LogonId,
  433. NewAccountName,
  434. NewAuthorityName,
  435. NewProfilePath,
  436. &NewUserSid,
  437. LogonType,
  438. PrimaryCredential
  439. );
  441. if (!NT_SUCCESS(Status))
  442. {
  443. goto Cleanup;
  444. }
  446. LocalAccountName.Buffer = NULL ;
  447. LocalAuthorityName.Buffer = NULL ;
  448. LocalProfilePath.Buffer = NULL ;
  450. //
  451. // Set the token on the session
  452. //
  454. Status = LsapSetSessionToken( *Token, LogonId );
  456. if ( !NT_SUCCESS(Status) ) {
  457. goto Cleanup;
  458. }
  461. Cleanup:
  463. //
  464. // Clean up on failure
  465. //
  467. if ( !NT_SUCCESS(Status) ) {
  469. //
  470. // If we successfully built the token,
  471. // free it.
  472. //
  474. if ( *Token != NULL ) {
  475. NtClose( *Token );
  476. *Token = NULL;
  477. }
  478. }
  481. //
  482. // Always free the token information because the policy filter
  483. // changes it.
  484. //
  486. switch (TokenInformationType) {
  488. case LsaTokenInformationNull:
  490. LsapFreeTokenInformationNull( (PLSA_TOKEN_INFORMATION_NULL) TokenInformation );
  491. break;
  493. case LsaTokenInformationV1:
  495. LsapFreeTokenInformationV1( (PLSA_TOKEN_INFORMATION_V1) TokenInformation );
  496. break;
  498. case LsaTokenInformationV2:
  500. LsapFreeTokenInformationV2( (PLSA_TOKEN_INFORMATION_V2) TokenInformation );
  501. break;
  503. }
  505. if ( LocalAccountName.Buffer != NULL )
  506. {
  507. LsapFreeLsaHeap( LocalAccountName.Buffer );
  508. }
  510. if ( LocalAuthorityName.Buffer != NULL )
  511. {
  512. LsapFreeLsaHeap( LocalAuthorityName.Buffer );
  513. }
  515. if ( LocalProfilePath.Buffer != NULL )
  516. {
  517. LsapFreeLsaHeap( LocalProfilePath.Buffer );
  518. }
  520. if (NewUserSid != NULL) {
  521. LsapFreeLsaHeap( NewUserSid );
  522. }
  523. if ( PrivilegesAssigned != NULL ) {
  525. MIDL_user_free( PrivilegesAssigned );
  526. }
  527. return(Status);
  528. }