archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 1b390dddff
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1b390dddff'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/security/services/ca/include/certacl.h

473 lines
19 KiB
Raw Normal View History

Add source files
4 years ago
  1. //+--------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1996 - 1999
  5. //
  6. // File: certacl.h
  7. //
  8. // Contents: Cert Server security defines
  9. //
  10. //---------------------------------------------------------------------------
  12. #ifndef __CERTACL_H__
  13. #define __CERTACL_H__
  14. #include <sddl.h>
  15. #include "clibres.h"
  16. #include "certsd.h"
  18. // externs
  19. // externs
  20. extern const GUID GUID_APPRV_REQ;
  21. extern const GUID GUID_REVOKE;
  22. extern const GUID GUID_ENROLL;
  23. extern const GUID GUID_AUTOENROLL;
  24. extern const GUID GUID_READ_DB;
  25. //defines
  27. #define MAX_SID_LEN 256
  29. // !!! The SD strings below need to be in sync with certadm.idl definitions
  31. #define WSZ_CA_ACCESS_ADMIN L"0x00000001" // CA administrator
  32. #define WSZ_CA_ACCESS_OFFICER L"0x00000002" // certificate officer
  33. #define WSZ_CA_ACCESS_AUDITOR L"0x00000004" // auditor
  34. #define WSZ_CA_ACCESS_OPERATOR L"0x00000008" // backup operator
  35. #define WSZ_CA_ACCESS_MASKROLES L"0x000000ff"
  36. #define WSZ_CA_ACCESS_READ L"0x00000100" // read only access to CA
  37. #define WSZ_CA_ACCESS_ENROLL L"0x00000200" // enroll access to CA
  38. #define WSZ_CA_ACCESS_MASKALL L"0x0000ffff"
  41. // Important, keep enroll string GUID in sync with define in acl.cpp
  42. #define WSZ_GUID_ENROLL L"0e10c968-78fb-11d2-90d4-00c04f79dc55"
  43. #define WSZ_GUID_AUTOENROLL L"a05b8cc2-17bc-4802-a710-e7c15ab866a2"
  45. // ca access rights define here
  46. // note: need to keep string access and mask in sync!
  47. // WSZ_ACTRL_CERTSRV_MANAGE = L"CCDCLCSWRPWPDTLOCRSDRCWDWO"
  48. #define WSZ_ACTRL_CERTSRV_MANAGE SDDL_CREATE_CHILD \
  49. SDDL_DELETE_CHILD \
  50. SDDL_LIST_CHILDREN \
  51. SDDL_SELF_WRITE \
  52. SDDL_READ_PROPERTY \
  53. SDDL_WRITE_PROPERTY \
  54. SDDL_DELETE_TREE \
  55. SDDL_LIST_OBJECT \
  56. SDDL_CONTROL_ACCESS \
  57. SDDL_STANDARD_DELETE \
  58. SDDL_READ_CONTROL \
  59. SDDL_WRITE_DAC \
  60. SDDL_WRITE_OWNER
  61. #define ACTRL_CERTSRV_MANAGE (ACTRL_DS_READ_PROP | \
  62. ACTRL_DS_WRITE_PROP | \
  63. READ_CONTROL | \
  64. DELETE | \
  65. WRITE_DAC | \
  66. WRITE_OWNER | \
  67. ACTRL_DS_CONTROL_ACCESS | \
  68. ACTRL_DS_CREATE_CHILD | \
  69. ACTRL_DS_DELETE_CHILD | \
  70. ACTRL_DS_LIST | \
  71. ACTRL_DS_SELF | \
  72. ACTRL_DS_DELETE_TREE | \
  73. ACTRL_DS_LIST_OBJECT)
  76. #define WSZ_ACTRL_CERTSRV_MANAGE_LESS_CONTROL_ACCESS \
  77. SDDL_CREATE_CHILD \
  78. SDDL_DELETE_CHILD \
  79. SDDL_LIST_CHILDREN \
  80. SDDL_SELF_WRITE \
  81. SDDL_READ_PROPERTY \
  82. SDDL_WRITE_PROPERTY \
  83. SDDL_DELETE_TREE \
  84. SDDL_LIST_OBJECT \
  85. SDDL_STANDARD_DELETE \
  86. SDDL_READ_CONTROL \
  87. SDDL_WRITE_DAC \
  88. SDDL_WRITE_OWNER
  90. #define ACTRL_CERTSRV_MANAGE_LESS_CONTROL_ACCESS \
  91. (ACTRL_DS_READ_PROP | \
  92. ACTRL_DS_WRITE_PROP | \
  93. READ_CONTROL | \
  94. DELETE | \
  95. WRITE_DAC | \
  96. WRITE_OWNER | \
  97. ACTRL_DS_CREATE_CHILD | \
  98. ACTRL_DS_DELETE_CHILD | \
  99. ACTRL_DS_LIST | \
  100. ACTRL_DS_SELF | \
  101. ACTRL_DS_DELETE_TREE | \
  102. ACTRL_DS_LIST_OBJECT)
  105. // WSZ_ACTRL_CERTSRV_READ = L"RPLCLORC"
  106. #define WSZ_ACTRL_CERTSRV_READ SDDL_READ_PROPERTY \
  107. SDDL_LIST_CHILDREN \
  108. SDDL_LIST_OBJECT \
  109. SDDL_READ_CONTROL
  110. #define ACTRL_CERTSRV_READ (READ_CONTROL | \
  111. ACTRL_DS_READ_PROP | \
  112. ACTRL_DS_LIST | \
  113. ACTRL_DS_LIST_OBJECT)
  115. // WSZ_ACTRL_CERTSRV_ENROLL = L"WPRPCR"
  116. #define WSZ_ACTRL_CERTSRV_ENROLL SDDL_WRITE_PROPERTY \
  117. SDDL_READ_PROPERTY \
  118. SDDL_CONTROL_ACCESS
  119. #define ACTRL_CERTSRV_ENROLL (ACTRL_DS_READ_PROP | \
  120. ACTRL_DS_WRITE_PROP | \
  121. ACTRL_DS_CONTROL_ACCESS)
  123. #define WSZ_ACTRL_CERTSRV_CAADMIN SDDL_CONTROL_ACCESS
  124. #define WSZ_ACTRL_CERTSRV_OFFICER SDDL_CONTROL_ACCESS
  125. #define WSZ_ACTRL_CERTSRV_CAREAD SDDL_CONTROL_ACCESS
  126. #define ACTRL_CERTSRV_CAADMIN ACTRL_DS_CONTROL_ACCESS
  127. #define ACTRL_CERTSRV_OFFICER ACTRL_DS_CONTROL_ACCESS
  128. #define ACTRL_CERTSRV_CAREAD ACTRL_DS_CONTROL_ACCESS
  130. // define all ca string security here in consistant format
  132. // SDDL_OWNER L":" SDDL_ENTERPRISE_ADMINS \
  133. // SDDL_GROUP L":" SDDL_ENTERPRISE_ADMINS \
  134. // SDDL_DACL L":" SDDL_PROTECTED SDDL_AUTO_INHERITED \
  135. // L"(" SDDL_ACCESS_ALLOWED or SDDL_OBJECT_ACCESS_ALLOWED L";" \
  136. // SDDL_OBJECT_INHERIT SDDL_CONTAINER_INHERIT or list L";" \
  137. // list of AccessRights L";" \
  138. // StringGUID L";" \
  139. // L";" \
  140. // SDDL_EVERYONE or Sid L")"
  141. // ...list of ace
  143. #define CERTSRV_STD_ACE(access, sid) \
  144. L"(" SDDL_ACCESS_ALLOWED L";" \
  145. SDDL_OBJECT_INHERIT SDDL_CONTAINER_INHERIT L";" \
  146. access L";;;" sid L")"
  148. #define CERTSRV_INH_ACE(access, sid) \
  149. L"(" SDDL_ACCESS_ALLOWED L";" \
  150. SDDL_OBJECT_INHERIT SDDL_CONTAINER_INHERIT SDDL_INHERIT_ONLY L";" \
  151. access L";;;" sid L")"
  153. #define CERTSRV_OBJ_ACE(access, guid, sid) \
  154. L"(" SDDL_OBJECT_ACCESS_ALLOWED L";" \
  155. SDDL_OBJECT_INHERIT SDDL_CONTAINER_INHERIT L";" \
  156. access L";" \
  157. guid L";;" sid L")"
  159. #define CERTSRV_OBJ_ACE_DENY(access, guid, sid) \
  160. L"(" SDDL_OBJECT_ACCESS_DENIED L";" \
  161. SDDL_OBJECT_INHERIT SDDL_CONTAINER_INHERIT L";" \
  162. access L";" \
  163. guid L";;" sid L")"
  165. #define CERTSRV_STD_OG(owner, group) \
  166. SDDL_OWNER L":" owner SDDL_GROUP L":" group \
  167. SDDL_DACL L":" SDDL_AUTO_INHERITED
  169. #define CERTSRV_SACL_ON \
  170. SDDL_SACL L": (" SDDL_AUDIT L";" \
  171. SDDL_AUDIT_SUCCESS SDDL_AUDIT_FAILURE L";" \
  172. WSZ_CA_ACCESS_MASKALL L";;;" \
  173. SDDL_EVERYONE L")"
  175. #define CERTSRV_SACL_OFF \
  176. SDDL_SACL L":"
  178. #define WSZ_CERTSRV_SID_ANONYMOUS_LOGON L"S-1-5-7"
  179. #define WSZ_CERTSRV_SID_EVERYONE L"S-1-1-0"
  181. // Default Standalone security
  182. // Standalone
  183. // Owner, local administrators
  184. // Group, local administrators
  185. // DACL:
  186. // enroll - everyone
  187. // caadmin - builtin\administrators
  188. // officer - builtin\administrators
  189. #define WSZ_DEFAULT_CA_STD_SECURITY \
  190. CERTSRV_STD_OG(SDDL_BUILTIN_ADMINISTRATORS, SDDL_BUILTIN_ADMINISTRATORS) \
  191. CERTSRV_STD_ACE(WSZ_CA_ACCESS_ADMIN, SDDL_BUILTIN_ADMINISTRATORS) \
  192. CERTSRV_STD_ACE(WSZ_CA_ACCESS_OFFICER, SDDL_BUILTIN_ADMINISTRATORS) \
  193. CERTSRV_STD_ACE(WSZ_CA_ACCESS_ENROLL, SDDL_EVERYONE) \
  194. CERTSRV_SACL_ON
  196. // Default Enterprise Security
  197. // Owner, Enterprise Administrators
  198. // Group, Enterprise Administrators
  199. // DACL:
  200. // enroll - authenticated users
  201. // caadmin - builtin\administrators
  202. // - domain admins
  203. // - enterprise admins
  204. // officer - builtin\administrators
  205. // - domain admins
  206. // - enterprise admins
  207. #define WSZ_DEFAULT_CA_ENT_SECURITY \
  208. CERTSRV_STD_OG(SDDL_BUILTIN_ADMINISTRATORS, SDDL_BUILTIN_ADMINISTRATORS) \
  209. CERTSRV_STD_ACE(WSZ_CA_ACCESS_ADMIN, SDDL_BUILTIN_ADMINISTRATORS) \
  210. CERTSRV_STD_ACE(WSZ_CA_ACCESS_OFFICER, SDDL_BUILTIN_ADMINISTRATORS) \
  211. CERTSRV_STD_ACE(WSZ_CA_ACCESS_ADMIN, SDDL_DOMAIN_ADMINISTRATORS) \
  212. CERTSRV_STD_ACE(WSZ_CA_ACCESS_OFFICER, SDDL_DOMAIN_ADMINISTRATORS) \
  213. CERTSRV_STD_ACE(WSZ_CA_ACCESS_ADMIN, SDDL_ENTERPRISE_ADMINS) \
  214. CERTSRV_STD_ACE(WSZ_CA_ACCESS_OFFICER, SDDL_ENTERPRISE_ADMINS) \
  215. CERTSRV_STD_ACE(WSZ_CA_ACCESS_ENROLL, SDDL_AUTHENTICATED_USERS) \
  216. CERTSRV_SACL_ON
  218. // DS Container
  219. // (CDP/CA container)
  220. // Owner: Enterprise Admins (overidden by installer)
  221. // Group: Enterprise Admins (overidden by installer)
  222. // DACL:
  223. // Enterprise Admins - Full Control
  224. // Domain Admins - Full Control
  225. // Cert Publishers - Full Control
  226. // Builtin Admins - Full Control
  227. // Everyone - Read
  228. #define WSZ_DEFAULT_CA_DS_SECURITY \
  229. CERTSRV_STD_OG(SDDL_ENTERPRISE_ADMINS, SDDL_ENTERPRISE_ADMINS) \
  230. CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_ENTERPRISE_ADMINS) \
  231. CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_DOMAIN_ADMINISTRATORS) \
  232. CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_CERT_SERV_ADMINISTRATORS) \
  233. CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_BUILTIN_ADMINISTRATORS) \
  234. CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_READ, SDDL_EVERYONE)
  236. // NTAuthCertificates
  237. //
  238. // Owner: Enterprise Admins (overidden by installer)
  239. // Group: Enterprise Admins (overidden by installer)
  240. // DACL:
  241. // Enterprise Admins - Full Control
  242. // Domain Admins - Full Control
  243. // Builtin Admins - Full Control
  244. // Everyone - Read
  245. #define WSZ_DEFAULT_NTAUTH_SECURITY \
  246. CERTSRV_STD_OG(SDDL_ENTERPRISE_ADMINS, SDDL_ENTERPRISE_ADMINS) \
  247. CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_ENTERPRISE_ADMINS) \
  248. CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_DOMAIN_ADMINISTRATORS) \
  249. CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_BUILTIN_ADMINISTRATORS) \
  250. CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_READ, SDDL_EVERYONE)
  252. // CDP/CA
  253. // Owner: Enterprise Admins (overidden by installer)
  254. // Group: Enterprise Admins (overidden by installer)
  255. // DACL:
  256. // Enterprise Admins - Full Control
  257. // Domain Admins - Full Control
  258. // Cert Publishers - Full Control
  259. // Builtin Admins- Full Control
  260. // Authenticated Users - Read
  261. #define WSZ_DEFAULT_CDP_DS_SECURITY \
  262. CERTSRV_STD_OG(SDDL_ENTERPRISE_ADMINS, SDDL_ENTERPRISE_ADMINS) \
  263. CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_ENTERPRISE_ADMINS) \
  264. CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_DOMAIN_ADMINISTRATORS) \
  265. CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, L"%ws") \
  266. CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE, SDDL_BUILTIN_ADMINISTRATORS) \
  267. CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_READ, SDDL_EVERYONE)
  269. // Shared Folder related security
  270. // Owner: Local Admin
  271. // DACL:
  272. // Local Admin - Full Control
  273. // LocalSystem - Full Control
  274. // Enterprise Admins - Full Control
  275. // Everyone - Read
  276. #define WSZ_DEFAULT_SF_SECURITY \
  277. CERTSRV_STD_OG(SDDL_BUILTIN_ADMINISTRATORS, SDDL_BUILTIN_ADMINISTRATORS) \
  278. CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_BUILTIN_ADMINISTRATORS) \
  279. CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_LOCAL_SYSTEM)
  281. #define WSZ_DEFAULT_SF_USEDS_SECURITY \
  282. CERTSRV_STD_OG(SDDL_BUILTIN_ADMINISTRATORS, SDDL_BUILTIN_ADMINISTRATORS) \
  283. CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_BUILTIN_ADMINISTRATORS) \
  284. CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_LOCAL_SYSTEM) \
  285. CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_ENTERPRISE_ADMINS)
  287. #define WSZ_DEFAULT_SF_EVERYONEREAD_SECURITY \
  288. WSZ_DEFAULT_SF_SECURITY \
  289. CERTSRV_STD_ACE(SDDL_GENERIC_READ, SDDL_EVERYONE)
  291. #define WSZ_DEFAULT_SF_USEDS_EVERYONEREAD_SECURITY \
  292. WSZ_DEFAULT_SF_USEDS_SECURITY \
  293. CERTSRV_STD_ACE(SDDL_GENERIC_READ, SDDL_EVERYONE)
  295. // Enroll share security
  296. // Owner: Administrators
  297. // Group: Administrators
  298. // DACL:
  299. // Everyone: read access
  300. // local admin: full access
  301. #define WSZ_ACTRL_CERTSRV_SHARE_READ SDDL_FILE_READ \
  302. SDDL_READ_CONTROL \
  303. SDDL_GENERIC_READ \
  304. SDDL_GENERIC_EXECUTE
  305. #define WSZ_ACTRL_CERTSRV_SHARE_ALL SDDL_FILE_ALL \
  306. SDDL_CREATE_CHILD \
  307. SDDL_STANDARD_DELETE \
  308. SDDL_READ_CONTROL \
  309. SDDL_WRITE_DAC \
  310. SDDL_WRITE_OWNER \
  311. SDDL_GENERIC_ALL
  312. #define WSZ_DEFAULT_SHARE_SECURITY \
  313. CERTSRV_STD_OG(SDDL_BUILTIN_ADMINISTRATORS, SDDL_BUILTIN_ADMINISTRATORS) \
  314. CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_SHARE_READ, SDDL_EVERYONE) \
  315. CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_SHARE_ALL, SDDL_BUILTIN_ADMINISTRATORS)
  318. // Service string below need to be in sync with the following
  319. // definitions from winsvc.h
  320. //#define SERVICE_QUERY_CONFIG 0x0001
  321. //#define SERVICE_CHANGE_CONFIG 0x0002
  322. //#define SERVICE_QUERY_STATUS 0x0004
  323. //#define SERVICE_ENUMERATE_DEPENDENTS 0x0008
  324. //#define SERVICE_START 0x0010
  325. //#define SERVICE_STOP 0x0020
  326. //#define SERVICE_PAUSE_CONTINUE 0x0040
  327. //#define SERVICE_INTERROGATE 0x0080
  328. //#define SERVICE_USER_DEFINED_CONTROL 0x0100
  330. // full access to service
  331. // STANDARD_RIGHTS_REQUIRED
  332. // SERVICE_QUERY_CONFIG
  333. // SERVICE_CHANGE_CONFIG
  334. // SERVICE_QUERY_STATUS
  335. // SERVICE_ENUMERATE_DEPENDENTS
  336. // SERVICE_START
  337. // SERVICE_STOP
  338. // SERVICE_PAUSE_CONTINUE
  339. // SERVICE_INTERROGATE
  340. // SERVICE_USER_DEFINED_CONTROL
  341. #define WSZ_SERVICE_ALL_ACCESS L"0x000f01ff"
  344. // Read-only access to service
  345. // SERVICE_QUERY_CONFIG,
  346. // SERVICE_QUERY_STATUS,
  347. // SERVICE_ENUMERATE_DEPENDENTS,
  348. // SERVICE_INTERROGATE
  349. // SERVICE_USER_DEFINED_CONTROL
  351. #define WSZ_SERVICE_READ L"0x0000018d"
  353. #define WSZ_SERVICE_START_STOP L"0x00000030"
  355. // Power user and system access
  356. // SERVICE_QUERY_CONFIG
  357. // SERVICE_QUERY_STATUS
  358. // SERVICE_ENUMERATE_DEPENDENTS
  359. // SERVICE_START
  360. // SERVICE_STOP
  361. // SERVICE_PAUSE_CONTINUE
  362. // SERVICE_INTERROGATE
  363. // SERVICE_USER_DEFINED_CONTROL
  364. #define WSZ_SERVICE_POWER_USER L"0x000001fd"
  366. #define CERTSRV_SERVICE_SACL_ON \
  367. CERTSRV_STD_OG(SDDL_BUILTIN_ADMINISTRATORS, SDDL_BUILTIN_ADMINISTRATORS) \
  368. SDDL_SACL L": (" SDDL_AUDIT L";" \
  369. SDDL_AUDIT_SUCCESS SDDL_AUDIT_FAILURE L";" \
  370. WSZ_SERVICE_START_STOP L";;;" \
  371. SDDL_EVERYONE L")"
  373. #define CERTSRV_SERVICE_SACL_OFF \
  374. SDDL_SACL L":"
  376. // Certsrv service default security
  377. #define WSZ_DEFAULT_SERVICE_SECURITY \
  378. CERTSRV_STD_OG(SDDL_BUILTIN_ADMINISTRATORS, SDDL_BUILTIN_ADMINISTRATORS) \
  379. CERTSRV_STD_ACE(WSZ_SERVICE_READ, SDDL_AUTHENTICATED_USERS) \
  380. CERTSRV_STD_ACE(WSZ_SERVICE_POWER_USER, SDDL_POWER_USERS) \
  381. CERTSRV_STD_ACE(WSZ_SERVICE_POWER_USER, SDDL_LOCAL_SYSTEM) \
  382. CERTSRV_STD_ACE(WSZ_SERVICE_ALL_ACCESS, SDDL_BUILTIN_ADMINISTRATORS) \
  383. CERTSRV_STD_ACE(WSZ_SERVICE_ALL_ACCESS, SDDL_SERVER_OPERATORS)
  385. // DS pKIEnrollmentService default security
  386. #define WSZ_DEFAULT_DSENROLLMENT_SECURITY \
  387. CERTSRV_STD_OG(SDDL_BUILTIN_ADMINISTRATORS, SDDL_BUILTIN_ADMINISTRATORS) \
  388. CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE_LESS_CONTROL_ACCESS, SDDL_BUILTIN_ADMINISTRATORS) \
  389. CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE_LESS_CONTROL_ACCESS, SDDL_DOMAIN_ADMINISTRATORS) \
  390. CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE_LESS_CONTROL_ACCESS, SDDL_ENTERPRISE_ADMINS) \
  391. CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE_LESS_CONTROL_ACCESS, SDDL_LOCAL_SYSTEM) \
  392. CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_MANAGE_LESS_CONTROL_ACCESS, L"%ws") \
  393. CERTSRV_STD_ACE(WSZ_ACTRL_CERTSRV_READ, SDDL_AUTHENTICATED_USERS)
  395. // Key Conatiner security
  396. // Owner: local admin
  397. // Group: local admin
  398. // DACL:
  399. // Local Admin - Full Control
  400. // LocalSystem - Full Control
  401. #define WSZ_DEFAULT_KEYCONTAINER_SECURITY \
  402. CERTSRV_STD_OG(SDDL_BUILTIN_ADMINISTRATORS, SDDL_BUILTIN_ADMINISTRATORS) \
  403. CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_BUILTIN_ADMINISTRATORS) \
  404. CERTSRV_STD_ACE(SDDL_GENERIC_ALL, SDDL_LOCAL_SYSTEM)
  406. // upgrade security
  407. // DACL:
  408. // Local Admin - Full Control
  409. // Everyone - read
  410. #define WSZ_DEFAULT_UPGRADE_SECURITY \
  411. CERTSRV_STD_ACE(SDDL_FILE_READ, SDDL_EVERYONE) \
  412. CERTSRV_STD_ACE(SDDL_FILE_ALL, SDDL_BUILTIN_ADMINISTRATORS)
  415. // following defines certsrv security editing access
  417. #define GUID_CERTSRV GUID_NULL
  418. #define ACTRL_CERTSRV_OBJ ACTRL_DS_CONTROL_ACCESS
  419. #define CS_GEN_SIAE(access, ids) \
  420. {&GUID_CERTSRV, (access), MAKEINTRESOURCE((ids)), \
  421. SI_ACCESS_GENERAL}
  422. #define CS_SPE_SIAE(access, ids) \
  423. {&GUID_CERTSRV, (access), MAKEINTRESOURCE((ids)), \
  424. SI_ACCESS_SPECIFIC}
  425. #define OBJ_GEN_SIAE(guid, access, ids) \
  426. {&(guid), (access), MAKEINTRESOURCE((ids)), \
  427. SI_ACCESS_GENERAL|SI_ACCESS_SPECIFIC}
  428. #define OBJ_SPE_SIAE(guid, ids) \
  429. {&(guid), ACTRL_CERTSRV_OBJ, MAKEINTRESOURCE((ids)), \
  430. SI_ACCESS_SPECIFIC}
  431. #define OBJ_SPE_SIAE_OICI(guid, ids) \
  432. {&(guid), ACTRL_CERTSRV_OBJ, MAKEINTRESOURCE((ids)), \
  433. SI_ACCESS_SPECIFIC | OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE }
  435. #define CERTSRV_SI_ACCESS_LIST \
  436. CS_GEN_SIAE(CA_ACCESS_READ, IDS_ACTRL_CAREAD), \
  437. CS_GEN_SIAE(CA_ACCESS_OFFICER, IDS_ACTRL_OFFICER), \
  438. CS_GEN_SIAE(CA_ACCESS_ADMIN, IDS_ACTRL_CAADMIN), \
  439. CS_GEN_SIAE(CA_ACCESS_ENROLL, IDS_ACTRL_ENROLL), \
  440. // disabled for beta1 CS_GEN_SIAE(CA_ACCESS_AUDITOR, IDS_ACTRL_AUDITOR),
  441. // disabled for beta1 CS_GEN_SIAE(CA_ACCESS_OPERATOR, IDS_ACTRL_OPERATOR),
  442. HRESULT
  443. myGetSDFromTemplate(
  444. IN WCHAR const *pwszStringSD,
  445. IN OPTIONAL WCHAR const *pwszReplace,
  446. OUT PSECURITY_DESCRIPTOR *ppSD);
  448. HRESULT
  449. CertSrvMapAndSetSecurity(
  450. OPTIONAL IN WCHAR const *pwszSanitizedName,
  451. IN WCHAR const *pwszKeyContainerName,
  452. IN BOOL fSetDsSecurity,
  453. IN SECURITY_INFORMATION si,
  454. IN PSECURITY_DESCRIPTOR pSD);
  456. HRESULT
  457. SetCAKeySecurity(
  458. IN SECURITY_INFORMATION si,
  459. IN WCHAR const *pwszSanitizedName,
  460. IN WCHAR const *pwszKeyContainerName,
  461. IN OPTIONAL PSECURITY_DESCRIPTOR pSD);
  463. HRESULT
  464. myMergeSD(
  465. IN PSECURITY_DESCRIPTOR pSDOld,
  466. IN PSECURITY_DESCRIPTOR pSDMerge,
  467. IN SECURITY_INFORMATION si,
  468. OUT PSECURITY_DESCRIPTOR *ppSDNew);
  470. HRESULT
  471. UpdateServiceSacl(bool fTurnOnAuditing);
  473. #endif // __CERTLIB_H__