archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
 
 
 
 
 
 
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/ds/security/base/lsa/server/dspolicy/dbinstac.c

644 lines
16 KiB
Raw Blame History

/*++
Copyright (c) 1991 Microsoft Corporation
Module Name:
dbinstac.c
Abstract:
LSA Protected Subsystem - Account object Initialization.
This module sets up account objects to establish the default
Microsoft policy regarding privilege assignment, system access
rights (interactive, network, service), and abnormal quotas.
Author:
Jim Kelly (JimK) May 3, 1992.
Environment:
User mode - Does not depend on Windows.
Revision History:
--*/
#include <lsapch2.h>
#include "dbp.h"
NTSTATUS
LsapDbInitializeAccount(
IN PSID AccountSid,
IN PLSAPR_PRIVILEGE_SET Privileges,
IN ULONG SystemAccess
);
OLD_LARGE_INTEGER
ConvertLongToOldLargeInteger(
ULONG u
)
/*++
Routine Description:
Coverts a long to old style large interger
Arguments:
u - unsigned long.
Return Value:
converted old style large integer.
--*/
{
LARGE_INTEGER NewLargeInteger;
OLD_LARGE_INTEGER OldLargeInteger;
NewLargeInteger = RtlConvertLongToLargeInteger(u);
NEW_TO_OLD_LARGE_INTEGER(
NewLargeInteger,
OldLargeInteger );
return( OldLargeInteger );
}
NTSTATUS
LsapDbInstallAccountObjects(
VOID
)
/*++
Routine Description:
This function establishes ACCOUNT objects and initializes them
to contain the default Microsoft policy.
Arguments:
None.
Return Value:
--*/
{
NTSTATUS
Status = STATUS_SUCCESS;
ULONG
i,
Index,
SystemAccess;
SID_IDENTIFIER_AUTHORITY
WorldSidAuthority = SECURITY_WORLD_SID_AUTHORITY,
NtAuthority = SECURITY_NT_AUTHORITY;
PSID
WorldSid = NULL,
BuiltinAccountSid = NULL ;
PLSAPR_PRIVILEGE_SET
Privileges;
UCHAR
PrivilegesBuffer[ sizeof(LSAPR_PRIVILEGE_SET) +
20 * sizeof(LUID_AND_ATTRIBUTES)];
//
// Initialize our privilege set buffer
// (Room for 100 privileges)
//
Privileges = (PLSAPR_PRIVILEGE_SET)(&PrivilegesBuffer);
Privileges->Control = 0; //Not used here.
for (i=0; i<20; i++) {
Privileges->Privilege[i].Attributes = 0; //Disabled, DisabledByDefault
}
//
// Set up the SIDs we need.
// All builtin domain sids are the same length. We'll just create
// one and change its RID as necessary.
//
if (NT_SUCCESS(Status)) {
Status = RtlAllocateAndInitializeSid(
&WorldSidAuthority,
1, //Sub authority count
SECURITY_WORLD_RID, //Sub authorities (up to 8)
0, 0, 0, 0, 0, 0, 0,
&WorldSid
);
}
if (NT_SUCCESS(Status)) {
Status = RtlAllocateAndInitializeSid(
&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&BuiltinAccountSid
);
}
//
// Now create each account and assign the appropriate set of privileges
// And logon capabilities. Some of these are product type-specific.
//
if (NT_SUCCESS(Status)) {
//
// World account
// Logon types: Network
// Privileges:
// ChangeNotify (ENABLED)
//
Privileges->Privilege[0].Luid =
ConvertLongToOldLargeInteger(SE_CHANGE_NOTIFY_PRIVILEGE);
Privileges->Privilege[0].Attributes = SE_PRIVILEGE_ENABLED |
SE_PRIVILEGE_ENABLED_BY_DEFAULT;
Privileges->PrivilegeCount = 1;
SystemAccess = SECURITY_ACCESS_NETWORK_LOGON;
//
// If a WinNt installation, give WORLD Interactive logon in
// and SHUTDOWN privilege in addition to Network Logon.
//
if (LsapProductType == NtProductWinNt) {
SystemAccess |= SECURITY_ACCESS_INTERACTIVE_LOGON |
SECURITY_ACCESS_REMOTE_INTERACTIVE_LOGON ;
Privileges->Privilege[1].Luid =
ConvertLongToOldLargeInteger(SE_SHUTDOWN_PRIVILEGE);
Privileges->Privilege[1].Attributes =
SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT;
Privileges->PrivilegeCount = 2;
}
Status = LsapDbInitializeAccount(WorldSid, Privileges, SystemAccess);
Privileges->Privilege[0].Attributes = 0;
}
if (NT_SUCCESS(Status)) {
//
// Admin Alias account
// Logon types: Interactive, Network
// Privileges:
// Security
// Backup
// Restore
// SetTime
// Shutdown
// RemoteShutdown
// Debug
// TakeOwnership
// SystemEnvironment
// SystemProfile
// SingleProcessProfile
// LoadDriver
// CreatePagefile
// IncreaseQuota
//
SystemAccess = SECURITY_ACCESS_INTERACTIVE_LOGON |
SECURITY_ACCESS_NETWORK_LOGON;
Index = 0;
Privileges->Privilege[Index].Luid =
ConvertLongToOldLargeInteger(SE_SECURITY_PRIVILEGE);
Index++;
Privileges->Privilege[Index].Luid =
ConvertLongToOldLargeInteger(SE_BACKUP_PRIVILEGE);
Index++;
Privileges->Privilege[Index].Luid =
ConvertLongToOldLargeInteger(SE_RESTORE_PRIVILEGE);
Index++;
Privileges->Privilege[Index].Luid =
ConvertLongToOldLargeInteger(SE_SYSTEMTIME_PRIVILEGE);
Index++;
Privileges->Privilege[Index].Luid =
ConvertLongToOldLargeInteger(SE_SHUTDOWN_PRIVILEGE);
Index++;
Privileges->Privilege[Index].Luid =
ConvertLongToOldLargeInteger(SE_REMOTE_SHUTDOWN_PRIVILEGE);
Index++;
Privileges->Privilege[Index].Luid =
ConvertLongToOldLargeInteger(SE_TAKE_OWNERSHIP_PRIVILEGE);
Index++;
Privileges->Privilege[Index].Luid =
ConvertLongToOldLargeInteger(SE_DEBUG_PRIVILEGE);
Index++;
Privileges->Privilege[Index].Luid =
ConvertLongToOldLargeInteger(SE_SYSTEM_ENVIRONMENT_PRIVILEGE);
Index++;
Privileges->Privilege[Index].Luid =
ConvertLongToOldLargeInteger(SE_SYSTEM_PROFILE_PRIVILEGE);
Index++;
Privileges->Privilege[Index].Luid =
ConvertLongToOldLargeInteger(SE_PROF_SINGLE_PROCESS_PRIVILEGE);
Index++;
Privileges->Privilege[Index].Luid =
ConvertLongToOldLargeInteger(SE_INC_BASE_PRIORITY_PRIVILEGE);
Index++;
Privileges->Privilege[Index].Luid =
ConvertLongToOldLargeInteger(SE_LOAD_DRIVER_PRIVILEGE);
Index++;
Privileges->Privilege[Index].Luid =
ConvertLongToOldLargeInteger(SE_CREATE_PAGEFILE_PRIVILEGE);
Index++;
Privileges->Privilege[Index].Luid =
ConvertLongToOldLargeInteger(SE_INCREASE_QUOTA_PRIVILEGE);
Index++;
// to add another privilege, and add another group of lines ^^^
Privileges->PrivilegeCount = Index;
(*RtlSubAuthoritySid(BuiltinAccountSid, 1)) = DOMAIN_ALIAS_RID_ADMINS;
Status = LsapDbInitializeAccount(BuiltinAccountSid, Privileges, SystemAccess);
if (!NT_SUCCESS(Status)) {
KdPrint(("LSA DB INSTALL: Creation of Administrators privileged account failed.\n"
" Status: 0x%lx\n", Status));
}
}
if (NT_SUCCESS(Status)) {
//
// Backup Operators Alias account
// Logon types: Interactive
// Privileges:
// Backup
// Restore
// Shutdown
//
SystemAccess = SECURITY_ACCESS_INTERACTIVE_LOGON;
Privileges->Privilege[0].Luid =
ConvertLongToOldLargeInteger(SE_BACKUP_PRIVILEGE);
Privileges->Privilege[1].Luid =
ConvertLongToOldLargeInteger(SE_RESTORE_PRIVILEGE);
Privileges->Privilege[2].Luid =
ConvertLongToOldLargeInteger(SE_SHUTDOWN_PRIVILEGE);
// to add another privilege, vvvv increment this, and add a line ^^^
Privileges->PrivilegeCount = 3;
(*RtlSubAuthoritySid(BuiltinAccountSid, 1)) = DOMAIN_ALIAS_RID_BACKUP_OPS;
Status = LsapDbInitializeAccount(BuiltinAccountSid, Privileges, SystemAccess);
}
if (LsapProductType == NtProductLanManNt) {
if (NT_SUCCESS(Status)) {
//
// System Operators Alias account
// Logon types: Interactive
// Privileges:
// Backup
// Restore
// SetTime
// Shutdown
// RemoteShutdown
//
SystemAccess = SECURITY_ACCESS_INTERACTIVE_LOGON;
Privileges->Privilege[0].Luid =
ConvertLongToOldLargeInteger(SE_BACKUP_PRIVILEGE);
Privileges->Privilege[1].Luid =
ConvertLongToOldLargeInteger(SE_RESTORE_PRIVILEGE);
Privileges->Privilege[2].Luid =
ConvertLongToOldLargeInteger(SE_SYSTEMTIME_PRIVILEGE);
Privileges->Privilege[3].Luid =
ConvertLongToOldLargeInteger(SE_SHUTDOWN_PRIVILEGE);
Privileges->Privilege[4].Luid =
ConvertLongToOldLargeInteger(SE_REMOTE_SHUTDOWN_PRIVILEGE);
// to add another privilege, vvvv increment this, and add a line ^^^
Privileges->PrivilegeCount = 5;
(*RtlSubAuthoritySid(BuiltinAccountSid, 1)) = DOMAIN_ALIAS_RID_SYSTEM_OPS;
Status = LsapDbInitializeAccount(BuiltinAccountSid, Privileges, SystemAccess);
}
if (NT_SUCCESS(Status)) {
//
// Account Operators Alias account
// Logon types: Interactive
// Privileges:
// Shutdown
//
SystemAccess = SECURITY_ACCESS_INTERACTIVE_LOGON;
Privileges->Privilege[0].Luid =
ConvertLongToOldLargeInteger(SE_SHUTDOWN_PRIVILEGE);
// to add another privilege, vvvv increment this, and add a line ^^^
Privileges->PrivilegeCount = 1;
(*RtlSubAuthoritySid(BuiltinAccountSid, 1)) = DOMAIN_ALIAS_RID_ACCOUNT_OPS;
Status = LsapDbInitializeAccount(BuiltinAccountSid, Privileges, SystemAccess);
}
if (NT_SUCCESS(Status)) {
//
// Print Operators Alias account
// Logon types: Interactive
// Privileges:
// Shutdown
//
SystemAccess = SECURITY_ACCESS_INTERACTIVE_LOGON;
Privileges->Privilege[0].Luid =
ConvertLongToOldLargeInteger(SE_SHUTDOWN_PRIVILEGE);
// to add another privilege, vvvv increment this, and add a line ^^^
Privileges->PrivilegeCount = 1;
(*RtlSubAuthoritySid(BuiltinAccountSid, 1)) = DOMAIN_ALIAS_RID_PRINT_OPS;
Status = LsapDbInitializeAccount(BuiltinAccountSid, Privileges, SystemAccess);
}
} else {
if (NT_SUCCESS(Status)) {
//
// Power Users Alias account
// Logon types: Interactive, Network
// Privileges:
// Shutdown
// Set System Time
// SystemProfile
// SingleProcessProfile
// Debug (for developer installs ONLY!).
//
SystemAccess = SECURITY_ACCESS_INTERACTIVE_LOGON |
SECURITY_ACCESS_NETWORK_LOGON |
SECURITY_ACCESS_REMOTE_INTERACTIVE_LOGON ;
Privileges->Privilege[0].Luid =
ConvertLongToOldLargeInteger(SE_SYSTEMTIME_PRIVILEGE);
Privileges->Privilege[1].Luid =
ConvertLongToOldLargeInteger(SE_SHUTDOWN_PRIVILEGE);
Privileges->Privilege[2].Luid =
ConvertLongToOldLargeInteger(SE_REMOTE_SHUTDOWN_PRIVILEGE);
Privileges->Privilege[3].Luid =
ConvertLongToOldLargeInteger(SE_SYSTEM_PROFILE_PRIVILEGE);
Privileges->Privilege[3].Luid =
ConvertLongToOldLargeInteger(SE_PROF_SINGLE_PROCESS_PRIVILEGE);
Privileges->Privilege[4].Luid =
ConvertLongToOldLargeInteger(SE_INC_BASE_PRIORITY_PRIVILEGE);
// to add another privilege, vvvv increment this, and add a line ^^^
Privileges->PrivilegeCount = 5;
//
// Add privileges assigned for developer install
//
if (LsapSetupWasRun != TRUE) {
Privileges->Privilege[Privileges->PrivilegeCount].Luid =
ConvertLongToOldLargeInteger(SE_DEBUG_PRIVILEGE);
Privileges->PrivilegeCount++;
}
(*RtlSubAuthoritySid(BuiltinAccountSid, 1)) = DOMAIN_ALIAS_RID_POWER_USERS;
Status = LsapDbInitializeAccount(BuiltinAccountSid, Privileges, SystemAccess);
}
if (NT_SUCCESS(Status)) {
//
// Users Alias account
// Logon types: Interactive
// Privileges:
// Shutdown
//
SystemAccess = SECURITY_ACCESS_INTERACTIVE_LOGON;
Privileges->Privilege[0].Luid =
ConvertLongToOldLargeInteger(SE_SHUTDOWN_PRIVILEGE);
// to add another privilege, vvvv increment this, and add a line ^^^
Privileges->PrivilegeCount = 1;
(*RtlSubAuthoritySid(BuiltinAccountSid, 1)) = DOMAIN_ALIAS_RID_USERS;
Status = LsapDbInitializeAccount(BuiltinAccountSid, Privileges, SystemAccess);
}
if (NT_SUCCESS(Status)) {
//
// Guests Alias account
// Logon types: Interactive
// Privileges:
// None
//
SystemAccess = SECURITY_ACCESS_INTERACTIVE_LOGON;
// to add another privilege, vvvv increment this, and add a line ^^^
Privileges->PrivilegeCount = 0;
(*RtlSubAuthoritySid(BuiltinAccountSid, 1)) = DOMAIN_ALIAS_RID_GUESTS;
Status = LsapDbInitializeAccount(BuiltinAccountSid, Privileges, SystemAccess);
}
}
//
// Free up SID buffers
//
RtlFreeSid( WorldSid );
RtlFreeSid( BuiltinAccountSid );
return(Status);
}
NTSTATUS
LsapDbInitializeAccount(
IN PSID AccountSid,
IN PLSAPR_PRIVILEGE_SET Privileges,
IN ULONG SystemAccess
)
/*++
Routine Description:
This function creates a single ACCOUNT object and assigns it the
privileges and system access specified.
Arguments:
AccountSid - The SID of the account to create.
Privileges - The privileges, if any, to assign to the account.
SystemAccess - The logon capabilities, if any, to assign to the account.
Return Value:
--*/
{
NTSTATUS
Status = STATUS_SUCCESS,
LocalStatus;
LSAPR_HANDLE
AccountHandle = NULL;
if ((Privileges->PrivilegeCount == 0) &&
(NT_SUCCESS(Status) && SystemAccess == 0) ) {
return(STATUS_SUCCESS);
}
Status = LsarCreateAccount( LsapDbHandle, AccountSid, 0, &AccountHandle);
if (NT_SUCCESS(Status)) {
if (Privileges->PrivilegeCount > 0) {
Status = LsarAddPrivilegesToAccount( AccountHandle, Privileges );
}
if (NT_SUCCESS(Status) && SystemAccess != 0) {
Status = LsarSetSystemAccessAccount( AccountHandle, SystemAccess);
}
LocalStatus = LsapCloseHandle( &AccountHandle, Status );
}
return(Status);
}