//+-------------------------------------------------------------------------- // // Microsoft Windows // Copyright (C) Microsoft Corporation, 1996 - 1999 // // File: certacl.h // // Contents: Cert Server security defines // //--------------------------------------------------------------------------- #ifndef __CERTACL_H__ #define __CERTACL_H__ #include #include "clibres.h" #include "certsd.h" // externs // externs extern const GUID GUID_APPRV_REQ; extern const GUID GUID_REVOKE; extern const GUID GUID_ENROLL; extern const GUID GUID_AUTOENROLL; extern const GUID GUID_READ_DB; //defines #define MAX_SID_LEN 256 // !!! The SD strings below need to be in sync with certadm.idl definitions #define WSZ_CA_ACCESS_ADMIN L"0x00000001" // CA administrator #define WSZ_CA_ACCESS_OFFICER L"0x00000002" // certificate officer #define WSZ_CA_ACCESS_AUDITOR L"0x00000004" // auditor #define WSZ_CA_ACCESS_OPERATOR L"0x00000008" // backup operator #define WSZ_CA_ACCESS_MASKROLES L"0x000000ff" #define WSZ_CA_ACCESS_READ L"0x00000100" // read only access to CA #define WSZ_CA_ACCESS_ENROLL L"0x00000200" // enroll access to CA #define WSZ_CA_ACCESS_MASKALL L"0x0000ffff" // Important, keep enroll string GUID in sync with define in acl.cpp #define WSZ_GUID_ENROLL L"0e10c968-78fb-11d2-90d4-00c04f79dc55" #define WSZ_GUID_AUTOENROLL L"a05b8cc2-17bc-4802-a710-e7c15ab866a2" // ca access rights define here // note: need to keep string access and mask in sync! // WSZ_ACTRL_CERTSRV_MANAGE = L"CCDCLCSWRPWPDTLOCRSDRCWDWO" #define WSZ_ACTRL_CERTSRV_MANAGE SDDL_CREATE_CHILD \ SDDL_DELETE_CHILD \ SDDL_LIST_CHILDREN \ SDDL_SELF_WRITE \ SDDL_READ_PROPERTY \ SDDL_WRITE_PROPERTY \ SDDL_DELETE_TREE \ SDDL_LIST_OBJECT \ SDDL_CONTROL_ACCESS \ SDDL_STANDARD_DELETE \ SDDL_READ_CONTROL \ SDDL_WRITE_DAC \ SDDL_WRITE_OWNER #define ACTRL_CERTSRV_MANAGE (ACTRL_DS_READ_PROP | \ ACTRL_DS_WRITE_PROP | \ READ_CONTROL | \ DELETE | \ WRITE_DAC | \ WRITE_OWNER | \ ACTRL_DS_CONTROL_ACCESS | \ ACTRL_DS_CREATE_CHILD | \ ACTRL_DS_DELETE_CHILD | \ ACTRL_DS_LIST | \ ACTRL_DS_SELF | \ ACTRL_DS_DELETE_TREE | \ ACTRL_DS_LIST_OBJECT) #define WSZ_ACTRL_CERTSRV_MANAGE_LESS_CONTROL_ACCESS \ SDDL_CREATE_CHILD \ SDDL_DELETE_CHILD \ SDDL_LIST_CHILDREN \ SDDL_SELF_WRITE \ SDDL_READ_PROPERTY \ SDDL_WRITE_PROPERTY \ SDDL_DELETE_TREE \ SDDL_LIST_OBJECT \ SDDL_STANDARD_DELETE \ SDDL_READ_CONTROL \ SDDL_WRITE_DAC \ SDDL_WRITE_OWNER #define ACTRL_CERTSRV_MANAGE_LESS_CONTROL_ACCESS \ (ACTRL_DS_READ_PROP | \ ACTRL_DS_WRITE_PROP | \ READ_CONTROL | \ DELETE | \ WRITE_DAC | \ WRITE_OWNER | \ ACTRL_DS_CREATE_CHILD | \ ACTRL_DS_DELETE_CHILD | \ ACTRL_DS_LIST | \ ACTRL_DS_SELF | \ ACTRL_DS_DELETE_TREE | \ ACTRL_DS_LIST_OBJECT) // WSZ_ACTRL_CERTSRV_READ = L"RPLCLORC" #define WSZ_ACTRL_CERTSRV_READ SDDL_READ_PROPERTY \ SDDL_LIST_CHILDREN \ SDDL_LIST_OBJECT \ SDDL_READ_CONTROL #define ACTRL_CERTSRV_READ (READ_CONTROL | \ ACTRL_DS_READ_PROP | \ ACTRL_DS_LIST | \ ACTRL_DS_LIST_OBJECT) // WSZ_ACTRL_CERTSRV_ENROLL = L"WPRPCR" #define WSZ_ACTRL_CERTSRV_ENROLL SDDL_WRITE_PROPERTY \ SDDL_READ_PROPERTY \ SDDL_CONTROL_ACCESS #define ACTRL_CERTSRV_ENROLL (ACTRL_DS_READ_PROP | \ ACTRL_DS_WRITE_PROP | \ ACTRL_DS_CONTROL_ACCESS) #define WSZ_ACTRL_CERTSRV_CAADMIN SDDL_CONTROL_ACCESS #define WSZ_ACTRL_CERTSRV_OFFICER SDDL_CONTROL_ACCESS #define WSZ_ACTRL_CERTSRV_CAREAD SDDL_CONTROL_ACCESS #define ACTRL_CERTSRV_CAADMIN ACTRL_DS_CONTROL_ACCESS #define ACTRL_CERTSRV_OFFICER ACTRL_DS_CONTROL_ACCESS #define ACTRL_CERTSRV_CAREAD ACTRL_DS_CONTROL_ACCESS // define all ca string security here in consistant format // SDDL_OWNER L":" SDDL_ENTERPRISE_ADMINS \ // SDDL_GROUP L":" SDDL_ENTERPRISE_ADMINS \ // SDDL_DACL L":" SDDL_PROTECTED SDDL_AUTO_INHERITED \ // L"(" SDDL_ACCESS_ALLOWED or SDDL_OBJECT_ACCESS_ALLOWED L";" \ // SDDL_OBJECT_INHERIT SDDL_CONTAINER_INHERIT or list L";" \ // list of AccessRights L";" \ // StringGUID L";" \ // L";" \ // SDDL_EVERYONE or Sid L")" // ...list of ace #define CERTSRV_STD_ACE(access, sid) \ L"(" SDDL_ACCESS_ALLOWED L";" \ SDDL_OBJECT_INHERIT SDDL_CONTAINER_INHERIT L";" \ access L";;;" sid L")" #define CERTSRV_INH_ACE(access, sid) \ L"(" SDDL_ACCESS_ALLOWED L";" \ SDDL_OBJECT_INHERIT SDDL_CONTAINER_INHERIT SDDL_INHERIT_ONLY L";" \ access L";;;" sid L")" #define CERTSRV_OBJ_ACE(access, guid, sid) \ L"(" SDDL_OBJECT_ACCESS_ALLOWED L";" \ SDDL_OBJECT_INHERIT SDDL_CONTAINER_INHERIT L";" \ access L";" \ guid L";;" sid L")" #define CERTSRV_OBJ_ACE_DENY(access, guid, sid) \ L"(" SDDL_OBJECT_ACCESS_DENIED L";" \ SDDL_OBJECT_INHERIT SDDL_CONTAINER_INHERIT L";" \ access L";" \ guid L";;" sid L")" #define CERTSRV_STD_OG(owner, group) \ SDDL_OWNER L":" owner SDDL_GROUP L":" group \ SDDL_DACL L":" SDDL_AUTO_INHERITED #define CERTSRV_DACL \ SDDL_DACL L":" SDDL_AUTO_INHERITED #define CERTSRV_DACL_PROTECTED \ SDDL_DACL L":" SDDL_AUTO_INHERITED SDDL_PROTECTED #define CERTSRV_SACL_ACE(account) \ L"(" SDDL_AUDIT L";" \ SDDL_AUDIT_SUCCESS SDDL_AUDIT_FAILURE L";" \ WSZ_CA_ACCESS_MASKALL L";;;" \ account L")" #define CERTSRV_SACL_ON \ SDDL_SACL L": " \ CERTSRV_SACL_ACE(SDDL_EVERYONE) \ CERTSRV_SACL_ACE(SDDL_ANONYMOUS) #define CERTSRV_SACL_OFF \ SDDL_SACL L":" #define WSZ_CERTSRV_SID_ANONYMOUS_LOGON L"S-1-5-7" #define WSZ_CERTSRV_SID_EVERYONE L"S-1-1-0" // Default Standalone security // Standalone // Owner, local administrators // Group, local administrators // DACL: // enroll - everyone // caadmin - builtin\administrators // officer - builtin\administrators #define WSZ_DEFAULT_CA_STD_SECURITY \ CERTSRV_STD_OG(SDDL_BUILTIN_ADMINISTRATORS, SDDL_BUILTIN_ADMINISTRATORS) \ CERTSRV_STD_ACE(WSZ_CA_ACCESS_ADMIN, SDDL_BUILTIN_ADMINISTRATORS) \ CERTSRV_STD_ACE(WSZ_CA_ACCESS_OFFICER, SDDL_BUILTIN_ADMINISTRATORS) \ CERTSRV_STD_ACE(WSZ_CA_ACCESS_ENROLL, SDDL_EVERYONE) \ CERTSRV_SACL_ON // Default Enterprise Security // Owner, Enterprise Administrators // Group, Enterprise Administrators // DACL: // enroll - authenticated users // caadmin - builtin\administrators // - domain admins // - enterprise admins // officer - builtin\administrators // - domain admins // - enterprise admins #define WSZ_DEFAULT_CA_ENT_SECURITY \ CERTSRV_STD_OG(SDDL_BUILTIN_ADMINISTRATORS, SDDL_BUILTIN_ADMINISTRATORS) \ CERTSRV_STD_ACE(WSZ_CA_ACCESS_ADMIN, SDDL_BUILTIN_ADMINISTRATORS) \ CERTSRV_STD_ACE(WSZ_CA_ACCESS_OFFICER, SDDL_BUILTIN_ADMINISTRATORS) \ CERTSRV_STD_ACE(WSZ_CA_ACCESS_ADMIN, SDDL_DOMAIN_ADMINISTRATORS) \ CERTSRV_STD_ACE(WSZ_CA_ACCESS_OFFICER, SDDL_DOMAIN_ADMINISTRATORS) \ CERTSRV_STD_ACE(WSZ_CA_ACCESS_ADMIN, SDDL_ENTERPRISE_ADMINS) \ CERTSRV_STD_ACE(WSZ_CA_ACCESS_OFFICER, SDDL_ENTERPRISE_ADMINS) \ CERTSRV_STD_ACE(WSZ_CA_ACCESS_ENROLL, SDDL_AUTHENTICATED_USERS) \ CERTSRV_SACL_ON // Empty CA SD #define WSZ_EMPTY_CA_SECURITY \ CERTSRV_STD_OG(SDDL_BUILTIN_ADMINISTRATORS, SDDL_BUILTIN_ADMINISTRATORS) \ CERTSRV_SACL_ON // DS Container // (CDP/CA container) // Owner: Enterprise Admins (overidden by installer) // Group: Enterprise Admins (overidden by installer) // DACL: // Enterprise Admins - Full Control // Domain Admins - Full Control // Cert Publishers - Full Control // Builtin Admins - Full Control // Everyone - Read #define WSZ_DEFAULT_CA_DS_SECURITY \ CERTSRV_DACL \ CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_ENTERPRISE_ADMINS) \ CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_DOMAIN_ADMINISTRATORS) \ CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_CERT_SERV_ADMINISTRATORS) \ CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_BUILTIN_ADMINISTRATORS) \ CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_READ, SDDL_EVERYONE) // NTAuthCertificates // // Owner: Enterprise Admins (overidden by installer) // Group: Enterprise Admins (overidden by installer) // DACL: // Enterprise Admins - Full Control // Domain Admins - Full Control // Builtin Admins - Full Control // Everyone - Read #define WSZ_DEFAULT_NTAUTH_SECURITY \ CERTSRV_DACL \ CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_ENTERPRISE_ADMINS) \ CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_DOMAIN_ADMINISTRATORS) \ CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_BUILTIN_ADMINISTRATORS) \ CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_READ, SDDL_EVERYONE) // CDP/CA // Owner: Enterprise Admins (overidden by installer) // Group: Enterprise Admins (overidden by installer) // DACL: // Enterprise Admins - Full Control // Domain Admins - Full Control // Cert Publishers - Full Control // Builtin Admins- Full Control // Authenticated Users - Read #define WSZ_DEFAULT_CDP_DS_SECURITY \ CERTSRV_DACL \ CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_ENTERPRISE_ADMINS) \ CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_DOMAIN_ADMINISTRATORS) \ CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, L"%ws") \ CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_BUILTIN_ADMINISTRATORS) \ CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_READ, SDDL_EVERYONE) // Shared Folder related security // Owner: Local Admin // DACL: // Local Admin - Full Control // LocalSystem - Full Control // Enterprise Admins - Full Control // Everyone - Read #define WSZ_DEFAULT_SF_SECURITY \ CERTSRV_DACL \ CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_BUILTIN_ADMINISTRATORS) \ CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_LOCAL_SYSTEM) #define WSZ_DEFAULT_SF_USEDS_SECURITY \ CERTSRV_DACL \ CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_BUILTIN_ADMINISTRATORS) \ CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_LOCAL_SYSTEM) \ CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_ENTERPRISE_ADMINS) #define WSZ_DEFAULT_SF_EVERYONEREAD_SECURITY \ WSZ_DEFAULT_SF_SECURITY \ CERTSRV_STD_ACE(SDDL_GENERIC_READ, SDDL_EVERYONE) #define WSZ_DEFAULT_SF_USEDS_EVERYONEREAD_SECURITY \ WSZ_DEFAULT_SF_USEDS_SECURITY \ CERTSRV_STD_ACE(SDDL_GENERIC_READ, SDDL_EVERYONE) #define WSZ_DEFAULT_DB_DIR_SECURITY \ CERTSRV_DACL_PROTECTED \ CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_BUILTIN_ADMINISTRATORS) \ CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_LOCAL_SYSTEM) \ CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_CREATOR_OWNER) \ CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_BACKUP_OPERATORS) #define WSZ_DEFAULT_LOG_DIR_SECURITY WSZ_DEFAULT_DB_DIR_SECURITY // Enroll share security // Owner: Administrators // Group: Administrators // DACL: // Everyone: read access // local admin: full access #define WSZ_ACTRL_CERTSRV_SHARE_READ SDDL_FILE_READ \ SDDL_READ_CONTROL \ SDDL_GENERIC_READ \ SDDL_GENERIC_EXECUTE #define WSZ_ACTRL_CERTSRV_SHARE_ALL SDDL_FILE_ALL \ SDDL_CREATE_CHILD \ SDDL_STANDARD_DELETE \ SDDL_READ_CONTROL \ SDDL_WRITE_DAC \ SDDL_WRITE_OWNER \ SDDL_GENERIC_ALL #define WSZ_DEFAULT_SHARE_SECURITY \ CERTSRV_DACL \ CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_SHARE_READ, SDDL_EVERYONE) \ CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_SHARE_ALL, SDDL_BUILTIN_ADMINISTRATORS) // Service string below need to be in sync with the following // definitions from winsvc.h //#define SERVICE_QUERY_CONFIG 0x0001 //#define SERVICE_CHANGE_CONFIG 0x0002 //#define SERVICE_QUERY_STATUS 0x0004 //#define SERVICE_ENUMERATE_DEPENDENTS 0x0008 //#define SERVICE_START 0x0010 //#define SERVICE_STOP 0x0020 //#define SERVICE_PAUSE_CONTINUE 0x0040 //#define SERVICE_INTERROGATE 0x0080 //#define SERVICE_USER_DEFINED_CONTROL 0x0100 // full access to service // STANDARD_RIGHTS_REQUIRED // SERVICE_QUERY_CONFIG // SERVICE_CHANGE_CONFIG // SERVICE_QUERY_STATUS // SERVICE_ENUMERATE_DEPENDENTS // SERVICE_START // SERVICE_STOP // SERVICE_PAUSE_CONTINUE // SERVICE_INTERROGATE // SERVICE_USER_DEFINED_CONTROL #define WSZ_SERVICE_ALL_ACCESS L"0x000f01ff" // Read-only access to service // SERVICE_QUERY_CONFIG, // SERVICE_QUERY_STATUS, // SERVICE_ENUMERATE_DEPENDENTS, // SERVICE_INTERROGATE // SERVICE_USER_DEFINED_CONTROL #define WSZ_SERVICE_READ L"0x0000018d" #define WSZ_SERVICE_START_STOP L"0x00000030" // Power user and system access // SERVICE_QUERY_CONFIG // SERVICE_QUERY_STATUS // SERVICE_ENUMERATE_DEPENDENTS // SERVICE_START // SERVICE_STOP // SERVICE_PAUSE_CONTINUE // SERVICE_INTERROGATE // SERVICE_USER_DEFINED_CONTROL #define WSZ_SERVICE_POWER_USER L"0x000001fd" #define CERTSRV_SERVICE_SACL_ON \ CERTSRV_DACL \ SDDL_SACL L": (" SDDL_AUDIT L";" \ SDDL_AUDIT_SUCCESS SDDL_AUDIT_FAILURE L";" \ WSZ_SERVICE_START_STOP L";;;" \ SDDL_EVERYONE L")" #define CERTSRV_SERVICE_SACL_OFF \ SDDL_SACL L":" // Certsrv service default security #define WSZ_DEFAULT_SERVICE_SECURITY \ CERTSRV_DACL \ CERTSRV_STD_ACE(WSZ_SERVICE_READ, SDDL_AUTHENTICATED_USERS) \ CERTSRV_STD_ACE(WSZ_SERVICE_POWER_USER, SDDL_POWER_USERS) \ CERTSRV_STD_ACE(WSZ_SERVICE_POWER_USER, SDDL_LOCAL_SYSTEM) \ CERTSRV_STD_ACE(WSZ_SERVICE_ALL_ACCESS, SDDL_BUILTIN_ADMINISTRATORS) \ CERTSRV_STD_ACE(WSZ_SERVICE_ALL_ACCESS, SDDL_SERVER_OPERATORS) // DS pKIEnrollmentService default security #define WSZ_DEFAULT_DSENROLLMENT_SECURITY \ CERTSRV_DACL \ CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE_LESS_CONTROL_ACCESS, SDDL_ENTERPRISE_ADMINS) \ CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE_LESS_CONTROL_ACCESS, L"%ws") \ CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_READ, SDDL_AUTHENTICATED_USERS) // Key Conatiner security // Owner: local admin // Group: local admin // DACL: // Local Admin - Full Control // LocalSystem - Full Control #define WSZ_DEFAULT_KEYCONTAINER_SECURITY \ CERTSRV_DACL \ CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_BUILTIN_ADMINISTRATORS) \ CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_LOCAL_SYSTEM) // upgrade security // DACL: // Local Admin - Full Control // Everyone - read #define WSZ_DEFAULT_UPGRADE_SECURITY \ CERTSRV_STD_ACE(SDDL_FILE_READ, SDDL_EVERYONE) \ CERTSRV_STD_ACE(SDDL_FILE_ALL, SDDL_BUILTIN_ADMINISTRATORS) // following defines certsrv security editing access #define GUID_CERTSRV GUID_NULL #define ACTRL_CERTSRV_OBJ ACTRL_DS_CONTROL_ACCESS #define CS_GEN_SIAE(access, ids) \ {&GUID_CERTSRV, (access), MAKEINTRESOURCE((ids)), \ SI_ACCESS_GENERAL} #define CS_SPE_SIAE(access, ids) \ {&GUID_CERTSRV, (access), MAKEINTRESOURCE((ids)), \ SI_ACCESS_SPECIFIC} #define OBJ_GEN_SIAE(guid, access, ids) \ {&(guid), (access), MAKEINTRESOURCE((ids)), \ SI_ACCESS_GENERAL|SI_ACCESS_SPECIFIC} #define OBJ_SPE_SIAE(guid, ids) \ {&(guid), ACTRL_CERTSRV_OBJ, MAKEINTRESOURCE((ids)), \ SI_ACCESS_SPECIFIC} #define OBJ_SPE_SIAE_OICI(guid, ids) \ {&(guid), ACTRL_CERTSRV_OBJ, MAKEINTRESOURCE((ids)), \ SI_ACCESS_SPECIFIC | OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE } #define CERTSRV_SI_ACCESS_LIST \ CS_GEN_SIAE(CA_ACCESS_READ, IDS_ACTRL_CAREAD), \ CS_GEN_SIAE(CA_ACCESS_OFFICER, IDS_ACTRL_OFFICER), \ CS_GEN_SIAE(CA_ACCESS_ADMIN, IDS_ACTRL_CAADMIN), \ CS_GEN_SIAE(CA_ACCESS_ENROLL, IDS_ACTRL_ENROLL), \ // disabled for beta1 CS_GEN_SIAE(CA_ACCESS_AUDITOR, IDS_ACTRL_AUDITOR), // disabled for beta1 CS_GEN_SIAE(CA_ACCESS_OPERATOR, IDS_ACTRL_OPERATOR), HRESULT myGetSDFromTemplate( IN WCHAR const *pwszStringSD, IN OPTIONAL WCHAR const *pwszReplace, OUT PSECURITY_DESCRIPTOR *ppSD); HRESULT CertSrvMapAndSetSecurity( OPTIONAL IN WCHAR const *pwszSanitizedName, IN WCHAR const *pwszKeyContainerName, IN BOOL fSetDsSecurity, IN SECURITY_INFORMATION si, IN PSECURITY_DESCRIPTOR pSD); HRESULT mySetKeyContainerSecurity( IN HCRYPTPROV hProv); HRESULT myMergeSD( IN PSECURITY_DESCRIPTOR pSDOld, IN PSECURITY_DESCRIPTOR pSDMerge, IN SECURITY_INFORMATION si, OUT PSECURITY_DESCRIPTOR *ppSDNew); HRESULT UpdateServiceSacl(bool fTurnOnAuditing); HRESULT SetFolderDacl(LPCWSTR pcwszFolderPath, LPCWSTR pcwszSDDL); #endif // __CERTLIB_H__