You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
498 lines
19 KiB
498 lines
19 KiB
//+--------------------------------------------------------------------------
|
|
//
|
|
// Microsoft Windows
|
|
// Copyright (C) Microsoft Corporation, 1996 - 1999
|
|
//
|
|
// File: certacl.h
|
|
//
|
|
// Contents: Cert Server security defines
|
|
//
|
|
//---------------------------------------------------------------------------
|
|
|
|
#ifndef __CERTACL_H__
|
|
#define __CERTACL_H__
|
|
#include <sddl.h>
|
|
#include "clibres.h"
|
|
#include "certsd.h"
|
|
|
|
// externs
|
|
// externs
|
|
extern const GUID GUID_APPRV_REQ;
|
|
extern const GUID GUID_REVOKE;
|
|
extern const GUID GUID_ENROLL;
|
|
extern const GUID GUID_AUTOENROLL;
|
|
extern const GUID GUID_READ_DB;
|
|
//defines
|
|
|
|
#define MAX_SID_LEN 256
|
|
|
|
// !!! The SD strings below need to be in sync with certadm.idl definitions
|
|
|
|
#define WSZ_CA_ACCESS_ADMIN L"0x00000001" // CA administrator
|
|
#define WSZ_CA_ACCESS_OFFICER L"0x00000002" // certificate officer
|
|
#define WSZ_CA_ACCESS_AUDITOR L"0x00000004" // auditor
|
|
#define WSZ_CA_ACCESS_OPERATOR L"0x00000008" // backup operator
|
|
#define WSZ_CA_ACCESS_MASKROLES L"0x000000ff"
|
|
#define WSZ_CA_ACCESS_READ L"0x00000100" // read only access to CA
|
|
#define WSZ_CA_ACCESS_ENROLL L"0x00000200" // enroll access to CA
|
|
#define WSZ_CA_ACCESS_MASKALL L"0x0000ffff"
|
|
|
|
|
|
// Important, keep enroll string GUID in sync with define in acl.cpp
|
|
#define WSZ_GUID_ENROLL L"0e10c968-78fb-11d2-90d4-00c04f79dc55"
|
|
#define WSZ_GUID_AUTOENROLL L"a05b8cc2-17bc-4802-a710-e7c15ab866a2"
|
|
|
|
// ca access rights define here
|
|
// note: need to keep string access and mask in sync!
|
|
// WSZ_ACTRL_CERTSRV_MANAGE = L"CCDCLCSWRPWPDTLOCRSDRCWDWO"
|
|
#define WSZ_ACTRL_CERTSRV_MANAGE SDDL_CREATE_CHILD \
|
|
SDDL_DELETE_CHILD \
|
|
SDDL_LIST_CHILDREN \
|
|
SDDL_SELF_WRITE \
|
|
SDDL_READ_PROPERTY \
|
|
SDDL_WRITE_PROPERTY \
|
|
SDDL_DELETE_TREE \
|
|
SDDL_LIST_OBJECT \
|
|
SDDL_CONTROL_ACCESS \
|
|
SDDL_STANDARD_DELETE \
|
|
SDDL_READ_CONTROL \
|
|
SDDL_WRITE_DAC \
|
|
SDDL_WRITE_OWNER
|
|
#define ACTRL_CERTSRV_MANAGE (ACTRL_DS_READ_PROP | \
|
|
ACTRL_DS_WRITE_PROP | \
|
|
READ_CONTROL | \
|
|
DELETE | \
|
|
WRITE_DAC | \
|
|
WRITE_OWNER | \
|
|
ACTRL_DS_CONTROL_ACCESS | \
|
|
ACTRL_DS_CREATE_CHILD | \
|
|
ACTRL_DS_DELETE_CHILD | \
|
|
ACTRL_DS_LIST | \
|
|
ACTRL_DS_SELF | \
|
|
ACTRL_DS_DELETE_TREE | \
|
|
ACTRL_DS_LIST_OBJECT)
|
|
|
|
|
|
#define WSZ_ACTRL_CERTSRV_MANAGE_LESS_CONTROL_ACCESS \
|
|
SDDL_CREATE_CHILD \
|
|
SDDL_DELETE_CHILD \
|
|
SDDL_LIST_CHILDREN \
|
|
SDDL_SELF_WRITE \
|
|
SDDL_READ_PROPERTY \
|
|
SDDL_WRITE_PROPERTY \
|
|
SDDL_DELETE_TREE \
|
|
SDDL_LIST_OBJECT \
|
|
SDDL_STANDARD_DELETE \
|
|
SDDL_READ_CONTROL \
|
|
SDDL_WRITE_DAC \
|
|
SDDL_WRITE_OWNER
|
|
|
|
#define ACTRL_CERTSRV_MANAGE_LESS_CONTROL_ACCESS \
|
|
(ACTRL_DS_READ_PROP | \
|
|
ACTRL_DS_WRITE_PROP | \
|
|
READ_CONTROL | \
|
|
DELETE | \
|
|
WRITE_DAC | \
|
|
WRITE_OWNER | \
|
|
ACTRL_DS_CREATE_CHILD | \
|
|
ACTRL_DS_DELETE_CHILD | \
|
|
ACTRL_DS_LIST | \
|
|
ACTRL_DS_SELF | \
|
|
ACTRL_DS_DELETE_TREE | \
|
|
ACTRL_DS_LIST_OBJECT)
|
|
|
|
|
|
// WSZ_ACTRL_CERTSRV_READ = L"RPLCLORC"
|
|
#define WSZ_ACTRL_CERTSRV_READ SDDL_READ_PROPERTY \
|
|
SDDL_LIST_CHILDREN \
|
|
SDDL_LIST_OBJECT \
|
|
SDDL_READ_CONTROL
|
|
#define ACTRL_CERTSRV_READ (READ_CONTROL | \
|
|
ACTRL_DS_READ_PROP | \
|
|
ACTRL_DS_LIST | \
|
|
ACTRL_DS_LIST_OBJECT)
|
|
|
|
// WSZ_ACTRL_CERTSRV_ENROLL = L"WPRPCR"
|
|
#define WSZ_ACTRL_CERTSRV_ENROLL SDDL_WRITE_PROPERTY \
|
|
SDDL_READ_PROPERTY \
|
|
SDDL_CONTROL_ACCESS
|
|
#define ACTRL_CERTSRV_ENROLL (ACTRL_DS_READ_PROP | \
|
|
ACTRL_DS_WRITE_PROP | \
|
|
ACTRL_DS_CONTROL_ACCESS)
|
|
|
|
#define WSZ_ACTRL_CERTSRV_CAADMIN SDDL_CONTROL_ACCESS
|
|
#define WSZ_ACTRL_CERTSRV_OFFICER SDDL_CONTROL_ACCESS
|
|
#define WSZ_ACTRL_CERTSRV_CAREAD SDDL_CONTROL_ACCESS
|
|
#define ACTRL_CERTSRV_CAADMIN ACTRL_DS_CONTROL_ACCESS
|
|
#define ACTRL_CERTSRV_OFFICER ACTRL_DS_CONTROL_ACCESS
|
|
#define ACTRL_CERTSRV_CAREAD ACTRL_DS_CONTROL_ACCESS
|
|
|
|
// define all ca string security here in consistant format
|
|
|
|
// SDDL_OWNER L":" SDDL_ENTERPRISE_ADMINS \
|
|
// SDDL_GROUP L":" SDDL_ENTERPRISE_ADMINS \
|
|
// SDDL_DACL L":" SDDL_PROTECTED SDDL_AUTO_INHERITED \
|
|
// L"(" SDDL_ACCESS_ALLOWED or SDDL_OBJECT_ACCESS_ALLOWED L";" \
|
|
// SDDL_OBJECT_INHERIT SDDL_CONTAINER_INHERIT or list L";" \
|
|
// list of AccessRights L";" \
|
|
// StringGUID L";" \
|
|
// L";" \
|
|
// SDDL_EVERYONE or Sid L")"
|
|
// ...list of ace
|
|
|
|
#define CERTSRV_STD_ACE(access, sid) \
|
|
L"(" SDDL_ACCESS_ALLOWED L";" \
|
|
SDDL_OBJECT_INHERIT SDDL_CONTAINER_INHERIT L";" \
|
|
access L";;;" sid L")"
|
|
|
|
#define CERTSRV_INH_ACE(access, sid) \
|
|
L"(" SDDL_ACCESS_ALLOWED L";" \
|
|
SDDL_OBJECT_INHERIT SDDL_CONTAINER_INHERIT SDDL_INHERIT_ONLY L";" \
|
|
access L";;;" sid L")"
|
|
|
|
#define CERTSRV_OBJ_ACE(access, guid, sid) \
|
|
L"(" SDDL_OBJECT_ACCESS_ALLOWED L";" \
|
|
SDDL_OBJECT_INHERIT SDDL_CONTAINER_INHERIT L";" \
|
|
access L";" \
|
|
guid L";;" sid L")"
|
|
|
|
#define CERTSRV_OBJ_ACE_DENY(access, guid, sid) \
|
|
L"(" SDDL_OBJECT_ACCESS_DENIED L";" \
|
|
SDDL_OBJECT_INHERIT SDDL_CONTAINER_INHERIT L";" \
|
|
access L";" \
|
|
guid L";;" sid L")"
|
|
|
|
|
|
#define CERTSRV_STD_OG(owner, group) \
|
|
SDDL_OWNER L":" owner SDDL_GROUP L":" group \
|
|
SDDL_DACL L":" SDDL_AUTO_INHERITED
|
|
|
|
#define CERTSRV_DACL \
|
|
SDDL_DACL L":" SDDL_AUTO_INHERITED
|
|
|
|
#define CERTSRV_DACL_PROTECTED \
|
|
SDDL_DACL L":" SDDL_AUTO_INHERITED SDDL_PROTECTED
|
|
|
|
#define CERTSRV_SACL_ACE(account) \
|
|
L"(" SDDL_AUDIT L";" \
|
|
SDDL_AUDIT_SUCCESS SDDL_AUDIT_FAILURE L";" \
|
|
WSZ_CA_ACCESS_MASKALL L";;;" \
|
|
account L")"
|
|
|
|
|
|
#define CERTSRV_SACL_ON \
|
|
SDDL_SACL L": " \
|
|
CERTSRV_SACL_ACE(SDDL_EVERYONE) \
|
|
CERTSRV_SACL_ACE(SDDL_ANONYMOUS)
|
|
|
|
#define CERTSRV_SACL_OFF \
|
|
SDDL_SACL L":"
|
|
|
|
#define WSZ_CERTSRV_SID_ANONYMOUS_LOGON L"S-1-5-7"
|
|
#define WSZ_CERTSRV_SID_EVERYONE L"S-1-1-0"
|
|
|
|
// Default Standalone security
|
|
// Standalone
|
|
// Owner, local administrators
|
|
// Group, local administrators
|
|
// DACL:
|
|
// enroll - everyone
|
|
// caadmin - builtin\administrators
|
|
// officer - builtin\administrators
|
|
#define WSZ_DEFAULT_CA_STD_SECURITY \
|
|
CERTSRV_STD_OG(SDDL_BUILTIN_ADMINISTRATORS, SDDL_BUILTIN_ADMINISTRATORS) \
|
|
CERTSRV_STD_ACE(WSZ_CA_ACCESS_ADMIN, SDDL_BUILTIN_ADMINISTRATORS) \
|
|
CERTSRV_STD_ACE(WSZ_CA_ACCESS_OFFICER, SDDL_BUILTIN_ADMINISTRATORS) \
|
|
CERTSRV_STD_ACE(WSZ_CA_ACCESS_ENROLL, SDDL_EVERYONE) \
|
|
CERTSRV_SACL_ON
|
|
|
|
// Default Enterprise Security
|
|
// Owner, Enterprise Administrators
|
|
// Group, Enterprise Administrators
|
|
// DACL:
|
|
// enroll - authenticated users
|
|
// caadmin - builtin\administrators
|
|
// - domain admins
|
|
// - enterprise admins
|
|
// officer - builtin\administrators
|
|
// - domain admins
|
|
// - enterprise admins
|
|
#define WSZ_DEFAULT_CA_ENT_SECURITY \
|
|
CERTSRV_STD_OG(SDDL_BUILTIN_ADMINISTRATORS, SDDL_BUILTIN_ADMINISTRATORS) \
|
|
CERTSRV_STD_ACE(WSZ_CA_ACCESS_ADMIN, SDDL_BUILTIN_ADMINISTRATORS) \
|
|
CERTSRV_STD_ACE(WSZ_CA_ACCESS_OFFICER, SDDL_BUILTIN_ADMINISTRATORS) \
|
|
CERTSRV_STD_ACE(WSZ_CA_ACCESS_ADMIN, SDDL_DOMAIN_ADMINISTRATORS) \
|
|
CERTSRV_STD_ACE(WSZ_CA_ACCESS_OFFICER, SDDL_DOMAIN_ADMINISTRATORS) \
|
|
CERTSRV_STD_ACE(WSZ_CA_ACCESS_ADMIN, SDDL_ENTERPRISE_ADMINS) \
|
|
CERTSRV_STD_ACE(WSZ_CA_ACCESS_OFFICER, SDDL_ENTERPRISE_ADMINS) \
|
|
CERTSRV_STD_ACE(WSZ_CA_ACCESS_ENROLL, SDDL_AUTHENTICATED_USERS) \
|
|
CERTSRV_SACL_ON
|
|
|
|
// Empty CA SD
|
|
#define WSZ_EMPTY_CA_SECURITY \
|
|
CERTSRV_STD_OG(SDDL_BUILTIN_ADMINISTRATORS, SDDL_BUILTIN_ADMINISTRATORS) \
|
|
CERTSRV_SACL_ON
|
|
|
|
// DS Container
|
|
// (CDP/CA container)
|
|
// Owner: Enterprise Admins (overidden by installer)
|
|
// Group: Enterprise Admins (overidden by installer)
|
|
// DACL:
|
|
// Enterprise Admins - Full Control
|
|
// Domain Admins - Full Control
|
|
// Cert Publishers - Full Control
|
|
// Builtin Admins - Full Control
|
|
// Everyone - Read
|
|
#define WSZ_DEFAULT_CA_DS_SECURITY \
|
|
CERTSRV_DACL \
|
|
CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_ENTERPRISE_ADMINS) \
|
|
CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_DOMAIN_ADMINISTRATORS) \
|
|
CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_CERT_SERV_ADMINISTRATORS) \
|
|
CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_BUILTIN_ADMINISTRATORS) \
|
|
CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_READ, SDDL_EVERYONE)
|
|
|
|
// NTAuthCertificates
|
|
//
|
|
// Owner: Enterprise Admins (overidden by installer)
|
|
// Group: Enterprise Admins (overidden by installer)
|
|
// DACL:
|
|
// Enterprise Admins - Full Control
|
|
// Domain Admins - Full Control
|
|
// Builtin Admins - Full Control
|
|
// Everyone - Read
|
|
#define WSZ_DEFAULT_NTAUTH_SECURITY \
|
|
CERTSRV_DACL \
|
|
CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_ENTERPRISE_ADMINS) \
|
|
CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_DOMAIN_ADMINISTRATORS) \
|
|
CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_BUILTIN_ADMINISTRATORS) \
|
|
CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_READ, SDDL_EVERYONE)
|
|
|
|
// CDP/CA
|
|
// Owner: Enterprise Admins (overidden by installer)
|
|
// Group: Enterprise Admins (overidden by installer)
|
|
// DACL:
|
|
// Enterprise Admins - Full Control
|
|
// Domain Admins - Full Control
|
|
// Cert Publishers - Full Control
|
|
// Builtin Admins- Full Control
|
|
// Authenticated Users - Read
|
|
#define WSZ_DEFAULT_CDP_DS_SECURITY \
|
|
CERTSRV_DACL \
|
|
CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_ENTERPRISE_ADMINS) \
|
|
CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_DOMAIN_ADMINISTRATORS) \
|
|
CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, L"%ws") \
|
|
CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_BUILTIN_ADMINISTRATORS) \
|
|
CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_READ, SDDL_EVERYONE)
|
|
|
|
// Shared Folder related security
|
|
// Owner: Local Admin
|
|
// DACL:
|
|
// Local Admin - Full Control
|
|
// LocalSystem - Full Control
|
|
// Enterprise Admins - Full Control
|
|
// Everyone - Read
|
|
#define WSZ_DEFAULT_SF_SECURITY \
|
|
CERTSRV_DACL \
|
|
CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_BUILTIN_ADMINISTRATORS) \
|
|
CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_LOCAL_SYSTEM)
|
|
|
|
#define WSZ_DEFAULT_SF_USEDS_SECURITY \
|
|
CERTSRV_DACL \
|
|
CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_BUILTIN_ADMINISTRATORS) \
|
|
CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_LOCAL_SYSTEM) \
|
|
CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_ENTERPRISE_ADMINS)
|
|
|
|
#define WSZ_DEFAULT_SF_EVERYONEREAD_SECURITY \
|
|
WSZ_DEFAULT_SF_SECURITY \
|
|
CERTSRV_STD_ACE(SDDL_GENERIC_READ, SDDL_EVERYONE)
|
|
|
|
#define WSZ_DEFAULT_SF_USEDS_EVERYONEREAD_SECURITY \
|
|
WSZ_DEFAULT_SF_USEDS_SECURITY \
|
|
CERTSRV_STD_ACE(SDDL_GENERIC_READ, SDDL_EVERYONE)
|
|
|
|
#define WSZ_DEFAULT_DB_DIR_SECURITY \
|
|
CERTSRV_DACL_PROTECTED \
|
|
CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_BUILTIN_ADMINISTRATORS) \
|
|
CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_LOCAL_SYSTEM) \
|
|
CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_CREATOR_OWNER) \
|
|
CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_BACKUP_OPERATORS)
|
|
|
|
#define WSZ_DEFAULT_LOG_DIR_SECURITY WSZ_DEFAULT_DB_DIR_SECURITY
|
|
|
|
|
|
// Enroll share security
|
|
// Owner: Administrators
|
|
// Group: Administrators
|
|
// DACL:
|
|
// Everyone: read access
|
|
// local admin: full access
|
|
#define WSZ_ACTRL_CERTSRV_SHARE_READ SDDL_FILE_READ \
|
|
SDDL_READ_CONTROL \
|
|
SDDL_GENERIC_READ \
|
|
SDDL_GENERIC_EXECUTE
|
|
#define WSZ_ACTRL_CERTSRV_SHARE_ALL SDDL_FILE_ALL \
|
|
SDDL_CREATE_CHILD \
|
|
SDDL_STANDARD_DELETE \
|
|
SDDL_READ_CONTROL \
|
|
SDDL_WRITE_DAC \
|
|
SDDL_WRITE_OWNER \
|
|
SDDL_GENERIC_ALL
|
|
#define WSZ_DEFAULT_SHARE_SECURITY \
|
|
CERTSRV_DACL \
|
|
CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_SHARE_READ, SDDL_EVERYONE) \
|
|
CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_SHARE_ALL, SDDL_BUILTIN_ADMINISTRATORS)
|
|
|
|
|
|
// Service string below need to be in sync with the following
|
|
// definitions from winsvc.h
|
|
//#define SERVICE_QUERY_CONFIG 0x0001
|
|
//#define SERVICE_CHANGE_CONFIG 0x0002
|
|
//#define SERVICE_QUERY_STATUS 0x0004
|
|
//#define SERVICE_ENUMERATE_DEPENDENTS 0x0008
|
|
//#define SERVICE_START 0x0010
|
|
//#define SERVICE_STOP 0x0020
|
|
//#define SERVICE_PAUSE_CONTINUE 0x0040
|
|
//#define SERVICE_INTERROGATE 0x0080
|
|
//#define SERVICE_USER_DEFINED_CONTROL 0x0100
|
|
|
|
// full access to service
|
|
// STANDARD_RIGHTS_REQUIRED
|
|
// SERVICE_QUERY_CONFIG
|
|
// SERVICE_CHANGE_CONFIG
|
|
// SERVICE_QUERY_STATUS
|
|
// SERVICE_ENUMERATE_DEPENDENTS
|
|
// SERVICE_START
|
|
// SERVICE_STOP
|
|
// SERVICE_PAUSE_CONTINUE
|
|
// SERVICE_INTERROGATE
|
|
// SERVICE_USER_DEFINED_CONTROL
|
|
#define WSZ_SERVICE_ALL_ACCESS L"0x000f01ff"
|
|
|
|
|
|
// Read-only access to service
|
|
// SERVICE_QUERY_CONFIG,
|
|
// SERVICE_QUERY_STATUS,
|
|
// SERVICE_ENUMERATE_DEPENDENTS,
|
|
// SERVICE_INTERROGATE
|
|
// SERVICE_USER_DEFINED_CONTROL
|
|
|
|
#define WSZ_SERVICE_READ L"0x0000018d"
|
|
|
|
#define WSZ_SERVICE_START_STOP L"0x00000030"
|
|
|
|
// Power user and system access
|
|
// SERVICE_QUERY_CONFIG
|
|
// SERVICE_QUERY_STATUS
|
|
// SERVICE_ENUMERATE_DEPENDENTS
|
|
// SERVICE_START
|
|
// SERVICE_STOP
|
|
// SERVICE_PAUSE_CONTINUE
|
|
// SERVICE_INTERROGATE
|
|
// SERVICE_USER_DEFINED_CONTROL
|
|
#define WSZ_SERVICE_POWER_USER L"0x000001fd"
|
|
|
|
#define CERTSRV_SERVICE_SACL_ON \
|
|
CERTSRV_DACL \
|
|
SDDL_SACL L": (" SDDL_AUDIT L";" \
|
|
SDDL_AUDIT_SUCCESS SDDL_AUDIT_FAILURE L";" \
|
|
WSZ_SERVICE_START_STOP L";;;" \
|
|
SDDL_EVERYONE L")"
|
|
|
|
#define CERTSRV_SERVICE_SACL_OFF \
|
|
SDDL_SACL L":"
|
|
|
|
// Certsrv service default security
|
|
#define WSZ_DEFAULT_SERVICE_SECURITY \
|
|
CERTSRV_DACL \
|
|
CERTSRV_STD_ACE(WSZ_SERVICE_READ, SDDL_AUTHENTICATED_USERS) \
|
|
CERTSRV_STD_ACE(WSZ_SERVICE_POWER_USER, SDDL_POWER_USERS) \
|
|
CERTSRV_STD_ACE(WSZ_SERVICE_POWER_USER, SDDL_LOCAL_SYSTEM) \
|
|
CERTSRV_STD_ACE(WSZ_SERVICE_ALL_ACCESS, SDDL_BUILTIN_ADMINISTRATORS) \
|
|
CERTSRV_STD_ACE(WSZ_SERVICE_ALL_ACCESS, SDDL_SERVER_OPERATORS)
|
|
|
|
// DS pKIEnrollmentService default security
|
|
#define WSZ_DEFAULT_DSENROLLMENT_SECURITY \
|
|
CERTSRV_DACL \
|
|
CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE_LESS_CONTROL_ACCESS, SDDL_ENTERPRISE_ADMINS) \
|
|
CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE_LESS_CONTROL_ACCESS, L"%ws") \
|
|
CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_READ, SDDL_AUTHENTICATED_USERS)
|
|
|
|
// Key Conatiner security
|
|
// Owner: local admin
|
|
// Group: local admin
|
|
// DACL:
|
|
// Local Admin - Full Control
|
|
// LocalSystem - Full Control
|
|
#define WSZ_DEFAULT_KEYCONTAINER_SECURITY \
|
|
CERTSRV_DACL \
|
|
CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_BUILTIN_ADMINISTRATORS) \
|
|
CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_LOCAL_SYSTEM)
|
|
|
|
// upgrade security
|
|
// DACL:
|
|
// Local Admin - Full Control
|
|
// Everyone - read
|
|
#define WSZ_DEFAULT_UPGRADE_SECURITY \
|
|
CERTSRV_STD_ACE(SDDL_FILE_READ, SDDL_EVERYONE) \
|
|
CERTSRV_STD_ACE(SDDL_FILE_ALL, SDDL_BUILTIN_ADMINISTRATORS)
|
|
|
|
|
|
// following defines certsrv security editing access
|
|
|
|
#define GUID_CERTSRV GUID_NULL
|
|
#define ACTRL_CERTSRV_OBJ ACTRL_DS_CONTROL_ACCESS
|
|
#define CS_GEN_SIAE(access, ids) \
|
|
{&GUID_CERTSRV, (access), MAKEINTRESOURCE((ids)), \
|
|
SI_ACCESS_GENERAL}
|
|
#define CS_SPE_SIAE(access, ids) \
|
|
{&GUID_CERTSRV, (access), MAKEINTRESOURCE((ids)), \
|
|
SI_ACCESS_SPECIFIC}
|
|
#define OBJ_GEN_SIAE(guid, access, ids) \
|
|
{&(guid), (access), MAKEINTRESOURCE((ids)), \
|
|
SI_ACCESS_GENERAL|SI_ACCESS_SPECIFIC}
|
|
#define OBJ_SPE_SIAE(guid, ids) \
|
|
{&(guid), ACTRL_CERTSRV_OBJ, MAKEINTRESOURCE((ids)), \
|
|
SI_ACCESS_SPECIFIC}
|
|
#define OBJ_SPE_SIAE_OICI(guid, ids) \
|
|
{&(guid), ACTRL_CERTSRV_OBJ, MAKEINTRESOURCE((ids)), \
|
|
SI_ACCESS_SPECIFIC | OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE }
|
|
|
|
#define CERTSRV_SI_ACCESS_LIST \
|
|
CS_GEN_SIAE(CA_ACCESS_READ, IDS_ACTRL_CAREAD), \
|
|
CS_GEN_SIAE(CA_ACCESS_OFFICER, IDS_ACTRL_OFFICER), \
|
|
CS_GEN_SIAE(CA_ACCESS_ADMIN, IDS_ACTRL_CAADMIN), \
|
|
CS_GEN_SIAE(CA_ACCESS_ENROLL, IDS_ACTRL_ENROLL), \
|
|
// disabled for beta1 CS_GEN_SIAE(CA_ACCESS_AUDITOR, IDS_ACTRL_AUDITOR),
|
|
// disabled for beta1 CS_GEN_SIAE(CA_ACCESS_OPERATOR, IDS_ACTRL_OPERATOR),
|
|
HRESULT
|
|
myGetSDFromTemplate(
|
|
IN WCHAR const *pwszStringSD,
|
|
IN OPTIONAL WCHAR const *pwszReplace,
|
|
OUT PSECURITY_DESCRIPTOR *ppSD);
|
|
|
|
HRESULT
|
|
CertSrvMapAndSetSecurity(
|
|
OPTIONAL IN WCHAR const *pwszSanitizedName,
|
|
IN WCHAR const *pwszKeyContainerName,
|
|
IN BOOL fSetDsSecurity,
|
|
IN SECURITY_INFORMATION si,
|
|
IN PSECURITY_DESCRIPTOR pSD);
|
|
|
|
HRESULT
|
|
mySetKeyContainerSecurity(
|
|
IN HCRYPTPROV hProv);
|
|
|
|
HRESULT
|
|
myMergeSD(
|
|
IN PSECURITY_DESCRIPTOR pSDOld,
|
|
IN PSECURITY_DESCRIPTOR pSDMerge,
|
|
IN SECURITY_INFORMATION si,
|
|
OUT PSECURITY_DESCRIPTOR *ppSDNew);
|
|
|
|
HRESULT
|
|
UpdateServiceSacl(bool fTurnOnAuditing);
|
|
|
|
HRESULT
|
|
SetFolderDacl(LPCWSTR pcwszFolderPath, LPCWSTR pcwszSDDL);
|
|
|
|
#endif // __CERTLIB_H__
|