Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

116 lines
2.5 KiB

  1. /*++
  2. Copyright (c) 1991-1996 Microsoft Corporation
  3. Module Name:
  4. nlsecure.c
  5. Abstract:
  6. This module contains the Netlogon service support routines
  7. which create security objects and enforce security _access checking.
  8. Author:
  9. Cliff Van Dyke (CliffV) 22-Aug-1991
  10. Revision History:
  11. --*/
  12. #include "logonsrv.h" // Include files common to entire service
  13. #pragma hdrstop
  14. //
  15. // Include nlsecure.h again allocating the actual variables
  16. // this time around.
  17. //
  18. #define NLSECURE_ALLOCATE
  19. #include "nlsecure.h"
  20. #undef NLSECURE_ALLOCATE
  21. NTSTATUS
  22. NlCreateNetlogonObjects(
  23. VOID
  24. )
  25. /*++
  26. Routine Description:
  27. This function creates the workstation user-mode objects which are
  28. represented by security descriptors.
  29. Arguments:
  30. None.
  31. Return Value:
  32. NT status code
  33. --*/
  34. {
  35. NTSTATUS Status;
  36. //
  37. // Order matters! These ACEs are inserted into the DACL in the
  38. // following order. Security access is granted or denied based on
  39. // the order of the ACEs in the DACL.
  40. //
  41. //
  42. // Members of Group SECURITY_LOCAL aren't allowed to do a UAS logon
  43. // to force it to be done remotely.
  44. //
  45. ACE_DATA AceData[] = {
  46. {ACCESS_DENIED_ACE_TYPE, 0, 0,
  47. NETLOGON_UAS_LOGON_ACCESS |
  48. NETLOGON_UAS_LOGOFF_ACCESS,
  49. &LocalSid},
  50. {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
  51. GENERIC_ALL, &AliasAdminsSid},
  52. {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
  53. NETLOGON_CONTROL_ACCESS, &AliasAccountOpsSid},
  54. {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
  55. NETLOGON_CONTROL_ACCESS, &AliasSystemOpsSid},
  56. {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
  57. NETLOGON_CONTROL_ACCESS |
  58. NETLOGON_SERVICE_ACCESS, &LocalSystemSid},
  59. {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
  60. NETLOGON_SERVICE_ACCESS, &LocalServiceSid},
  61. {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
  62. NETLOGON_FTINFO_ACCESS, &AuthenticatedUserSid},
  63. {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
  64. NETLOGON_UAS_LOGON_ACCESS |
  65. NETLOGON_UAS_LOGOFF_ACCESS |
  66. NETLOGON_QUERY_ACCESS, &WorldSid}
  67. };
  68. //
  69. // Actually create the security descriptor.
  70. //
  71. Status = NetpCreateSecurityObject(
  72. AceData,
  73. sizeof(AceData)/sizeof(AceData[0]),
  74. AliasAdminsSid,
  75. AliasAdminsSid,
  76. &NlGlobalNetlogonInfoMapping,
  77. &NlGlobalNetlogonSecurityDescriptor );
  78. return Status;
  79. }