mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
723 lines
21 KiB
723 lines
21 KiB
#include "stdafx.h"
|
|
#include "MsPwdMig.h"
|
|
#include "PasswordMigration.h"
|
|
|
|
#include <NtSecApi.h>
|
|
#include <io.h>
|
|
#include <winioctl.h>
|
|
#include <lm.h>
|
|
#include <eh.h>
|
|
#include <ActiveDS.h>
|
|
#include <Dsrole.h>
|
|
#include "TReg.hpp"
|
|
#include "pwdfuncs.h"
|
|
#include "PWGen.hpp"
|
|
#include "UString.hpp"
|
|
#include "PwRpcUtl.h"
|
|
#include "PwdSvc.h"
|
|
#include "PwdSvc_c.c"
|
|
#include "Error.h"
|
|
|
|
#pragma comment(lib, "netapi32.lib")
|
|
#pragma comment(lib, "adsiid.lib")
|
|
#pragma comment(lib, "activeds.lib")
|
|
#pragma comment(lib, "commonlib.lib")
|
|
|
|
|
|
namespace
|
|
{
|
|
|
|
#define GET_BYTE_ARRAY_DATA(v) ((char*)((v).parray->pvData))
|
|
#define GET_BYTE_ARRAY_SIZE(v) ((unsigned long)((v).parray->rgsabound[0].cElements))
|
|
|
|
struct SSeException
|
|
{
|
|
SSeException(UINT uCode) :
|
|
uCode(uCode)
|
|
{
|
|
}
|
|
|
|
UINT uCode;
|
|
};
|
|
|
|
void SeTranslator(unsigned int u, EXCEPTION_POINTERS* pepExceptions)
|
|
{
|
|
throw SSeException(u);
|
|
}
|
|
|
|
}
|
|
// namespace
|
|
|
|
|
|
//---------------------------------------------------------------------------
|
|
// CPasswordMigration
|
|
//---------------------------------------------------------------------------
|
|
|
|
|
|
// Constructor
|
|
|
|
CPasswordMigration::CPasswordMigration() :
|
|
m_bSessionEstablished(false)
|
|
{
|
|
}
|
|
|
|
|
|
// Destructor
|
|
|
|
CPasswordMigration::~CPasswordMigration()
|
|
{
|
|
}
|
|
|
|
|
|
//
|
|
// IPasswordMigration Implementation ----------------------------------------
|
|
//
|
|
|
|
|
|
// EstablishSession Method
|
|
|
|
STDMETHODIMP CPasswordMigration::EstablishSession(BSTR bstrSourceServer, BSTR bstrTargetServer)
|
|
{
|
|
HRESULT hr = S_OK;
|
|
|
|
USES_CONVERSION;
|
|
|
|
try
|
|
{
|
|
m_bSessionEstablished = false;
|
|
|
|
CheckPasswordDC(OLE2CW(bstrSourceServer), OLE2CW(bstrTargetServer));
|
|
|
|
m_bSessionEstablished = true;
|
|
}
|
|
catch (_com_error& ce)
|
|
{
|
|
hr = SetError(ce, IDS_E_CANNOT_ESTABLISH_SESSION);
|
|
}
|
|
|
|
return hr;
|
|
}
|
|
|
|
|
|
// CopyPassword Method
|
|
|
|
STDMETHODIMP CPasswordMigration::CopyPassword(BSTR bstrSourceAccount, BSTR bstrTargetAccount, BSTR bstrTargetPassword)
|
|
{
|
|
HRESULT hr = S_OK;
|
|
|
|
USES_CONVERSION;
|
|
|
|
try
|
|
{
|
|
// if session established then...
|
|
|
|
if (m_bSessionEstablished)
|
|
{
|
|
// copy password
|
|
CopyPasswordImpl(OLE2CT(bstrSourceAccount), OLE2CT(bstrTargetAccount), OLE2CT(bstrTargetPassword));
|
|
}
|
|
else
|
|
{
|
|
// else return error
|
|
ThrowError(PM_E_SESSION_NOT_ESTABLISHED, IDS_E_SESSION_NOT_ESTABLISHED);
|
|
}
|
|
}
|
|
catch (_com_error& ce)
|
|
{
|
|
hr = SetError(ce, IDS_E_CANNOT_COPY_PASSWORD);
|
|
}
|
|
|
|
return hr;
|
|
}
|
|
|
|
|
|
// GenerateKey Method
|
|
|
|
STDMETHODIMP CPasswordMigration::GenerateKey(BSTR bstrSourceDomainFlatName, BSTR bstrKeyFilePath, BSTR bstrPassword)
|
|
{
|
|
HRESULT hr = S_OK;
|
|
|
|
USES_CONVERSION;
|
|
|
|
try
|
|
{
|
|
GenerateKeyImpl(OLE2CT(bstrSourceDomainFlatName), OLE2CT(bstrKeyFilePath), OLE2CT(bstrPassword));
|
|
}
|
|
catch (_com_error& ce)
|
|
{
|
|
hr = SetError(ce, IDS_E_CANNOT_GENERATE_KEY);
|
|
}
|
|
|
|
return hr;
|
|
}
|
|
|
|
|
|
//
|
|
// Implementation -----------------------------------------------------------
|
|
//
|
|
|
|
|
|
// GenerateKeyImpl Method
|
|
|
|
void CPasswordMigration::GenerateKeyImpl(LPCTSTR pszDomain, LPCTSTR pszFile, LPCTSTR pszPassword)
|
|
{
|
|
//
|
|
// validate source domain name
|
|
//
|
|
|
|
if ((pszDomain == NULL) || (pszDomain[0] == NULL))
|
|
{
|
|
ThrowError(E_INVALIDARG, IDS_E_KEY_DOMAIN_NOT_SPECIFIED);
|
|
}
|
|
|
|
//
|
|
// validate key file path
|
|
//
|
|
|
|
if ((pszFile == NULL) || (pszFile[0] == NULL))
|
|
{
|
|
ThrowError(E_INVALIDARG, IDS_E_KEY_FILE_NOT_SPECIFIED);
|
|
}
|
|
|
|
_TCHAR szDrive[_MAX_DRIVE];
|
|
_TCHAR szExt[_MAX_EXT];
|
|
|
|
_tsplitpath(pszFile, szDrive, NULL, NULL, szExt);
|
|
|
|
// verify drive is a local drive
|
|
|
|
_TCHAR szDrivePath[_MAX_PATH];
|
|
_tmakepath(szDrivePath, szDrive, _T("\\"), NULL, NULL);
|
|
|
|
if (GetDriveType(szDrivePath) == DRIVE_REMOTE)
|
|
{
|
|
ThrowError(E_INVALIDARG, IDS_E_KEY_FILE_NOT_LOCAL_DRIVE, pszFile);
|
|
}
|
|
|
|
// verify file extension is correct
|
|
|
|
if (_tcsicmp(szExt, _T(".pes")) != 0)
|
|
{
|
|
ThrowError(E_INVALIDARG, IDS_E_KEY_FILE_EXTENSION_INVALID, szExt);
|
|
}
|
|
|
|
//
|
|
// create encryption key and write to specified file
|
|
//
|
|
|
|
// create encryption key
|
|
|
|
CTargetCrypt crypt;
|
|
|
|
_variant_t vntKey = crypt.CreateEncryptionKey(pszDomain, pszPassword);
|
|
|
|
// write encrypted key bytes to file
|
|
|
|
HANDLE hFile = CreateFile(pszFile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
|
|
|
|
if (hFile == INVALID_HANDLE_VALUE)
|
|
{
|
|
ThrowError(HRESULT_FROM_WIN32(GetLastError()), IDS_E_KEY_CANT_CREATE_FILE, pszFile);
|
|
}
|
|
|
|
DWORD dwWritten;
|
|
|
|
BOOL bWritten = WriteFile(hFile, vntKey.parray->pvData, vntKey.parray->rgsabound[0].cElements, &dwWritten, NULL);
|
|
|
|
CloseHandle(hFile);
|
|
|
|
if (!bWritten)
|
|
{
|
|
ThrowError(HRESULT_FROM_WIN32(GetLastError()), IDS_E_KEY_CANT_WRITE_FILE, pszFile);
|
|
}
|
|
}
|
|
|
|
|
|
#pragma optimize ("", off)
|
|
|
|
/*********************************************************************
|
|
* *
|
|
* Written by: Paul Thompson *
|
|
* Date: 15 DEC 2000 *
|
|
* *
|
|
* This function is a wrapper around a password DC "CheckConfig" *
|
|
* call that can be used by the GUI and scripting to test the given *
|
|
* DC. *
|
|
* First we connect to a remote Lsa notification package dll, *
|
|
* which should be installed on a DC in the source domain. The *
|
|
* connect will be encrypted RPC. The configuration check, which *
|
|
* establishes a temporary session for this check. *
|
|
* We will also check anonymous user right access on the target *
|
|
* domain. *
|
|
* *
|
|
* 2001-04-19 Mark Oluper - updated for client component *
|
|
*********************************************************************/
|
|
|
|
//BEGIN CheckPasswordDC
|
|
void CPasswordMigration::CheckPasswordDC(LPCWSTR srcServer, LPCWSTR tgtServer)
|
|
{
|
|
/* local constants */
|
|
const DWORD c_dwMinUC = 3;
|
|
const DWORD c_dwMinLC = 3;
|
|
const DWORD c_dwMinDigits = 3;
|
|
const DWORD c_dwMinSpecial = 3;
|
|
const DWORD c_dwMaxAlpha = 0;
|
|
const DWORD c_dwMinLen = 14;
|
|
|
|
/* local variables */
|
|
DWORD rc = 0;
|
|
WCHAR * sBinding = NULL;
|
|
HANDLE hBinding = NULL;
|
|
WCHAR testPwd[PASSWORD_BUFFER_SIZE];
|
|
WCHAR tempPwd[PASSWORD_BUFFER_SIZE];
|
|
_variant_t varSession;
|
|
_variant_t varTestPwd;
|
|
|
|
/* function body */
|
|
// USES_CONVERSION;
|
|
|
|
if ((srcServer == NULL) || (srcServer[0] == NULL))
|
|
{
|
|
ThrowError(E_INVALIDARG, IDS_E_SOURCE_SERVER_NOT_SPECIFIED);
|
|
}
|
|
|
|
if ((tgtServer == NULL) || (tgtServer[0] == NULL))
|
|
{
|
|
ThrowError(E_INVALIDARG, IDS_E_TARGET_SERVER_NOT_SPECIFIED);
|
|
}
|
|
|
|
//make sure the server names start with "\\"
|
|
if ((srcServer[0] != L'\\') && (srcServer[1] != L'\\'))
|
|
{
|
|
m_strSourceServer = L"\\\\";
|
|
m_strSourceServer += srcServer;
|
|
}
|
|
else
|
|
m_strSourceServer = srcServer;
|
|
if ((tgtServer[0] != L'\\') && (tgtServer[1] != L'\\'))
|
|
{
|
|
m_strTargetServer = L"\\\\";
|
|
m_strTargetServer += tgtServer;
|
|
}
|
|
else
|
|
m_strTargetServer = tgtServer;
|
|
|
|
//get the password DC's domain NETBIOS name
|
|
GetDomainName(m_strSourceServer, m_strSourceDomainDNS, m_strSourceDomainFlat);
|
|
|
|
//get the target DC's domain DNS name
|
|
GetDomainName(m_strTargetServer, m_strTargetDomainDNS, m_strTargetDomainFlat);
|
|
|
|
//check if "Everyone" has been added to the "Pre-Windows 2000 Compatible
|
|
//Access" group
|
|
if (!IsEveryoneInPW2KCAGroup(m_strTargetDomainDNS))
|
|
ThrowError(__uuidof(PasswordMigration), __uuidof(IPasswordMigration), PM_E_EVERYONE_NOT_MEMBEROF_COMPATIBILITY_GROUP, IDS_E_EVERYONE_NOT_MEMBEROF_GROUP, (LPCTSTR)m_strTargetDomainDNS);
|
|
|
|
//check if anonymous user has been granted "Everyone" access, if the target
|
|
//DC is Whistler or newer
|
|
if (!DoesAnonymousHaveEveryoneAccess(m_strTargetServer))
|
|
ThrowError(__uuidof(PasswordMigration), __uuidof(IPasswordMigration), PM_E_EVERYONE_DOES_NOT_INCLUDE_ANONYMOUS, IDS_E_EVERYONE_DOES_NOT_INCLUDE_ANONYMOUS, (LPCTSTR)m_strTargetServer);
|
|
|
|
//if the high encryption pack has not been installed on this target
|
|
//DC, then return that information
|
|
try
|
|
{
|
|
m_pTargetCrypt = std::auto_ptr<CTargetCrypt>(new CTargetCrypt);
|
|
}
|
|
catch (_com_error& ce)
|
|
{
|
|
if (ce.Error() == 0x80090019)
|
|
ThrowError(__uuidof(PasswordMigration), __uuidof(IPasswordMigration), PM_E_HIGH_ENCRYPTION_NOT_INSTALLED, IDS_E_HIGH_ENCRYPTION_NOT_INSTALLED);
|
|
else
|
|
throw;
|
|
}
|
|
|
|
rc = PwdBindCreate(m_strSourceServer,&hBinding,&sBinding,TRUE);
|
|
|
|
if(rc != ERROR_SUCCESS)
|
|
{
|
|
_com_issue_error(HRESULT_FROM_WIN32(rc));
|
|
}
|
|
|
|
try
|
|
{
|
|
try
|
|
{
|
|
//create a session key that will be used to encrypt the user's
|
|
//password for this set of accounts
|
|
varSession = m_pTargetCrypt->CreateSession(m_strSourceDomainFlat);
|
|
}
|
|
catch (_com_error& ce)
|
|
{
|
|
if (ce.Error() == HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND))
|
|
{
|
|
ThrowError(__uuidof(PasswordMigration), __uuidof(IPasswordMigration), PM_E_NO_ENCRYPTION_KEY_FOR_DOMAIN, IDS_E_NO_ENCRYPTION_KEY_FOR_DOMAIN, (LPCTSTR)m_strTargetServer, (LPCTSTR)m_strSourceDomainFlat);
|
|
}
|
|
else
|
|
{
|
|
ThrowError(ce, IDS_E_GENERATE_SESSION_KEY_FAILED);
|
|
}
|
|
}
|
|
|
|
//now create a complex password used by the "CheckConfig" call in
|
|
//a challenge response. If the returned password matches, then
|
|
//the source DC has the proper encryption key.
|
|
if (EaPasswordGenerate(c_dwMinUC, c_dwMinLC, c_dwMinDigits, c_dwMinSpecial, c_dwMaxAlpha, c_dwMinLen, testPwd, PASSWORD_BUFFER_SIZE))
|
|
{
|
|
ThrowError(__uuidof(PasswordMigration), __uuidof(IPasswordMigration), PM_E_GENERATE_SESSION_PASSWORD_FAILED, IDS_E_GENERATE_SESSION_PASSWORD_FAILED);
|
|
}
|
|
|
|
//encrypt the password with the session key
|
|
try
|
|
{
|
|
varTestPwd = m_pTargetCrypt->Encrypt(_bstr_t(testPwd));
|
|
}
|
|
catch (...)
|
|
{
|
|
ThrowError(__uuidof(PasswordMigration), __uuidof(IPasswordMigration), PM_E_GENERATE_SESSION_PASSWORD_FAILED, IDS_E_GENERATE_SESSION_PASSWORD_FAILED);
|
|
}
|
|
|
|
_se_translator_function pfnSeTranslatorOld = _set_se_translator((_se_translator_function)SeTranslator);
|
|
|
|
HRESULT hr;
|
|
|
|
try
|
|
{
|
|
//check to see if the server-side DLL is ready to process
|
|
//password migration requests
|
|
hr = PwdcCheckConfig(
|
|
hBinding,
|
|
GET_BYTE_ARRAY_SIZE(varSession),
|
|
GET_BYTE_ARRAY_DATA(varSession),
|
|
GET_BYTE_ARRAY_SIZE(varTestPwd),
|
|
GET_BYTE_ARRAY_DATA(varTestPwd),
|
|
tempPwd
|
|
);
|
|
}
|
|
catch (SSeException& e)
|
|
{
|
|
if (e.uCode == RPC_S_SERVER_UNAVAILABLE)
|
|
ThrowError(__uuidof(PasswordMigration), __uuidof(IPasswordMigration), PM_E_PASSWORD_MIGRATION_NOT_RUNNING, IDS_E_PASSWORD_MIGRATION_NOT_RUNNING);
|
|
else
|
|
_com_issue_error(HRESULT_FROM_WIN32(e.uCode));
|
|
}
|
|
|
|
_set_se_translator(pfnSeTranslatorOld);
|
|
|
|
if (SUCCEEDED(hr))
|
|
{
|
|
if (UStrICmp(tempPwd,testPwd))
|
|
ThrowError(__uuidof(PasswordMigration), __uuidof(IPasswordMigration), PM_E_ENCRYPTION_KEYS_DO_NOT_MATCH, IDS_E_ENCRYPTION_KEYS_DO_NOT_MATCH);
|
|
}
|
|
else if (hr == PM_E_PASSWORD_MIGRATION_NOT_ENABLED)
|
|
{
|
|
ThrowError(__uuidof(PasswordMigration), __uuidof(IPasswordMigration), PM_E_PASSWORD_MIGRATION_NOT_ENABLED, IDS_E_PASSWORD_MIGRATION_NOT_ENABLED);
|
|
}
|
|
else
|
|
{
|
|
_com_issue_error(hr);
|
|
}
|
|
|
|
PwdBindDestroy(&hBinding,&sBinding);
|
|
}
|
|
catch (...)
|
|
{
|
|
PwdBindDestroy(&hBinding,&sBinding);
|
|
throw;
|
|
}
|
|
}
|
|
//END CheckPasswordDC
|
|
|
|
#pragma optimize ("", on)
|
|
|
|
|
|
//---------------------------------------------------------------------------
|
|
// CopyPassword Method
|
|
//
|
|
// Copies password via password migration server component installed on a
|
|
// password export server.
|
|
//
|
|
// 2001-04-19 Mark Oluper - re-wrote original written by Paul Thompson to
|
|
// incorporate changes required for client component
|
|
//---------------------------------------------------------------------------
|
|
|
|
void CPasswordMigration::CopyPasswordImpl(LPCTSTR pszSourceAccount, LPCTSTR pszTargetAccount, LPCTSTR pszPassword)
|
|
{
|
|
if ((pszSourceAccount == NULL) || (pszSourceAccount[0] == NULL))
|
|
{
|
|
ThrowError(E_INVALIDARG, IDS_E_SOURCE_ACCOUNT_NOT_SPECIFIED);
|
|
}
|
|
|
|
if ((pszTargetAccount == NULL) || (pszTargetAccount[0] == NULL))
|
|
{
|
|
ThrowError(E_INVALIDARG, IDS_E_TARGET_ACCOUNT_NOT_SPECIFIED);
|
|
}
|
|
|
|
handle_t hBinding = 0;
|
|
_TCHAR* sBinding = 0;
|
|
|
|
try
|
|
{
|
|
// create binding to password export server
|
|
|
|
DWORD dwError = PwdBindCreate(m_strSourceServer, &hBinding, &sBinding, TRUE);
|
|
|
|
if (dwError != NO_ERROR)
|
|
{
|
|
_com_issue_error(HRESULT_FROM_WIN32(dwError));
|
|
}
|
|
|
|
// encrypt password
|
|
|
|
_variant_t vntEncryptedPassword = m_pTargetCrypt->Encrypt(pszPassword);
|
|
|
|
// copy password
|
|
|
|
HRESULT hr = PwdcCopyPassword(
|
|
hBinding,
|
|
m_strTargetServer,
|
|
pszSourceAccount,
|
|
pszTargetAccount,
|
|
GET_BYTE_ARRAY_SIZE(vntEncryptedPassword),
|
|
GET_BYTE_ARRAY_DATA(vntEncryptedPassword)
|
|
);
|
|
|
|
if (FAILED(hr))
|
|
{
|
|
_com_issue_error(hr);
|
|
}
|
|
|
|
// destroy binding
|
|
|
|
PwdBindDestroy(&hBinding, &sBinding);
|
|
}
|
|
catch (...)
|
|
{
|
|
if (hBinding)
|
|
{
|
|
PwdBindDestroy(&hBinding, &sBinding);
|
|
}
|
|
|
|
throw;
|
|
}
|
|
}
|
|
|
|
|
|
//---------------------------------------------------------------------------
|
|
// GetDomainName Function
|
|
//
|
|
// Retrieves both the domain DNS name if available and the domain flat or
|
|
// NetBIOS name for the specified server.
|
|
//
|
|
// 2001-04-19 Mark Oluper - initial
|
|
//---------------------------------------------------------------------------
|
|
|
|
void CPasswordMigration::GetDomainName(LPCTSTR pszServer, _bstr_t& strNameDNS, _bstr_t& strNameFlat)
|
|
{
|
|
PDSROLE_PRIMARY_DOMAIN_INFO_BASIC ppdib;
|
|
|
|
DWORD dwError = DsRoleGetPrimaryDomainInformation(pszServer, DsRolePrimaryDomainInfoBasic, (BYTE**)&ppdib);
|
|
|
|
if (dwError != NO_ERROR)
|
|
{
|
|
ThrowError(HRESULT_FROM_WIN32(dwError), IDS_E_CANNOT_GET_DOMAIN_NAME, pszServer);
|
|
}
|
|
|
|
strNameDNS = ppdib->DomainNameDns;
|
|
strNameFlat = ppdib->DomainNameFlat;
|
|
|
|
DsRoleFreeMemory(ppdib);
|
|
}
|
|
|
|
|
|
/*********************************************************************
|
|
* *
|
|
* Written by: Paul Thompson *
|
|
* Date: 6 APR 2001 *
|
|
* *
|
|
* This function is responsible for checking if "Everyone" has *
|
|
* been added as a member of the "Pre-Windows 2000 Compatible Access"*
|
|
* builtin group. If not then anonymous user will not be able to *
|
|
* change a password on the target domain. This function is a helper*
|
|
* function for "CheckPasswordDC". *
|
|
* *
|
|
*********************************************************************/
|
|
|
|
//BEGIN IsEveryoneInPW2KCAGroup
|
|
BOOL CPasswordMigration::IsEveryoneInPW2KCAGroup(LPCWSTR sTgtDomainDNS)
|
|
{
|
|
/* local constants */
|
|
const LPWSTR sPreWindowsCont = L"CN=Pre-Windows 2000 Compatible Access,CN=Builtin";
|
|
const LPWSTR sEveryOne = L"CN=S-1-1-0,CN=ForeignSecurityPrincipals";
|
|
|
|
/* local variables */
|
|
IADs * pAds = NULL;
|
|
IADsGroup * pGroup = NULL;
|
|
HRESULT hr;
|
|
WCHAR sPath[1000];
|
|
_variant_t varNC;
|
|
BOOL bSuccess = TRUE;
|
|
BOOL bContinue = FALSE;
|
|
_bstr_t sRDN;
|
|
|
|
/* function body */
|
|
//get the RDN of the "Pre-Windows 2000 Compatible Access" group
|
|
sRDN = GetPathToPreW2KCAGroup();
|
|
if (sRDN.length() == 0)
|
|
sRDN = sPreWindowsCont;
|
|
|
|
//get the default naming context for this target domain
|
|
wsprintf(sPath, L"LDAP://%s/rootDSE", (WCHAR*)sTgtDomainDNS);
|
|
hr = ADsGetObject(sPath, IID_IADs, (void**)&pAds);
|
|
if ( SUCCEEDED(hr) )
|
|
{
|
|
hr = pAds->Get(L"defaultNamingContext", &varNC);
|
|
if ( SUCCEEDED(hr) )
|
|
bContinue = TRUE;
|
|
pAds->Release();
|
|
}
|
|
|
|
//if we got the naming context, try to connect to the
|
|
//"Pre-Windows 2000 Compatible Access" group
|
|
if (bContinue)
|
|
{
|
|
wsprintf(sPath, L"LDAP://%s/%s,%s", (WCHAR*)sTgtDomainDNS, (WCHAR*)sRDN, (WCHAR*) V_BSTR(&varNC));
|
|
hr = ADsGetObject(sPath, IID_IADsGroup, (void**)&pGroup);
|
|
if ( SUCCEEDED(hr) )
|
|
{
|
|
VARIANT_BOOL bIsMem = VARIANT_FALSE;
|
|
//see if "Everyone" is a member
|
|
wsprintf(sPath, L"LDAP://%s/%s,%s", (WCHAR*)sTgtDomainDNS, sEveryOne, (WCHAR*) V_BSTR(&varNC));
|
|
hr = pGroup->IsMember(sPath, &bIsMem);
|
|
if (( SUCCEEDED(hr) ) && (!bIsMem))
|
|
{
|
|
bSuccess = FALSE;
|
|
}
|
|
pGroup->Release();
|
|
}
|
|
}
|
|
|
|
return bSuccess;
|
|
}
|
|
//END IsEveryoneInPW2KCAGroup
|
|
|
|
|
|
/*********************************************************************
|
|
* *
|
|
* Written by: Paul Thompson *
|
|
* Date: 12 APR 2001 *
|
|
* *
|
|
* This function is responsible for creating a path to the *
|
|
* "Pre-Windows 2000 Compatible Access" builtin group from its well- *
|
|
* known RID. This path will then be used by *
|
|
* "IsEveryoneInPW2KCAGroup" to see if "Everyone" is in that group. *
|
|
* *
|
|
*********************************************************************/
|
|
|
|
//BEGIN GetPathToPreW2KCAGroup
|
|
_bstr_t CPasswordMigration::GetPathToPreW2KCAGroup()
|
|
{
|
|
/* local constants */
|
|
const LPWSTR sPreWindowsCont = L",CN=Builtin";
|
|
|
|
/* local variables */
|
|
SID_IDENTIFIER_AUTHORITY siaNtAuthority = SECURITY_NT_AUTHORITY;
|
|
PSID psidPreW2KCAGroup;
|
|
_bstr_t sPath = L"";
|
|
WCHAR account[MAX_PATH];
|
|
WCHAR domain[MAX_PATH];
|
|
DWORD lenAccount = MAX_PATH;
|
|
DWORD lenDomain = MAX_PATH;
|
|
SID_NAME_USE snu;
|
|
|
|
/* function body */
|
|
//create the SID for the "Pre-Windows 2000 Compatible Access" group
|
|
if (!AllocateAndInitializeSid(&siaNtAuthority,
|
|
2,
|
|
SECURITY_BUILTIN_DOMAIN_RID,
|
|
DOMAIN_ALIAS_RID_PREW2KCOMPACCESS,
|
|
0, 0, 0, 0, 0, 0,
|
|
&psidPreW2KCAGroup))
|
|
return sPath;
|
|
|
|
//lookup the name attached to this SID
|
|
if (!LookupAccountSid(NULL, psidPreW2KCAGroup, account, &lenAccount, domain, &lenDomain, &snu))
|
|
return sPath;
|
|
|
|
sPath = _bstr_t(L"CN=") + _bstr_t(account) + _bstr_t(sPreWindowsCont);
|
|
FreeSid(psidPreW2KCAGroup); //free the SID
|
|
|
|
return sPath;
|
|
}
|
|
//END GetPathToPreW2KCAGroup
|
|
|
|
|
|
/*********************************************************************
|
|
* *
|
|
* Written by: Paul Thompson *
|
|
* Date: 6 APR 2001 *
|
|
* *
|
|
* This function is responsible for checking if anonymous user *
|
|
* has been granted Everyone access if the target domain is Whistler *
|
|
* or newer. This function is a helper function for *
|
|
* "CheckPasswordDC". *
|
|
* If the "Let Everyone permissions apply to anonymous users" *
|
|
* security option has been enabled, then the LSA registry value of *
|
|
* "everyoneincludesanonymous" will be set to 0x1. We will check *
|
|
* registry value. *
|
|
* *
|
|
*********************************************************************/
|
|
|
|
//BEGIN DoesAnonymousHaveEveryoneAccess
|
|
BOOL CPasswordMigration::DoesAnonymousHaveEveryoneAccess(LPCWSTR tgtServer)
|
|
{
|
|
/* local constants */
|
|
const int WINDOWS_2000_BUILD_NUMBER = 2195;
|
|
|
|
/* local variables */
|
|
TRegKey verKey, lsaKey, regComputer;
|
|
BOOL bAccess = TRUE;
|
|
DWORD rc = 0;
|
|
DWORD rval;
|
|
WCHAR sBuildNum[MAX_PATH];
|
|
|
|
/* function body */
|
|
//connect to the DC's HKLM registry key
|
|
rc = regComputer.Connect(HKEY_LOCAL_MACHINE, tgtServer);
|
|
if (rc == ERROR_SUCCESS)
|
|
{
|
|
//see if this machine is running Windows XP or newer by checking the
|
|
//build number in the registry. If not, then we don't need to check
|
|
//for the new security option
|
|
rc = verKey.OpenRead(L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",®Computer);
|
|
if (rc == ERROR_SUCCESS)
|
|
{
|
|
//get the CurrentBuildNumber string
|
|
rc = verKey.ValueGetStr(L"CurrentBuildNumber", sBuildNum, MAX_PATH);
|
|
if (rc == ERROR_SUCCESS)
|
|
{
|
|
int nBuild = _wtoi(sBuildNum);
|
|
if (nBuild <= WINDOWS_2000_BUILD_NUMBER)
|
|
return bAccess;
|
|
}
|
|
}
|
|
|
|
//if Windows XP or greater, check for the option being enabled
|
|
//open the LSA key
|
|
rc = lsaKey.OpenRead(L"System\\CurrentControlSet\\Control\\Lsa",®Computer);
|
|
if (rc == ERROR_SUCCESS)
|
|
{
|
|
//get the value of the "everyoneincludesanonymous" value
|
|
rc = lsaKey.ValueGetDWORD(L"everyoneincludesanonymous",&rval);
|
|
if (rc == ERROR_SUCCESS)
|
|
{
|
|
if (rval == 0)
|
|
bAccess = FALSE;
|
|
}
|
|
else
|
|
bAccess = FALSE;
|
|
}
|
|
}
|
|
return bAccess;
|
|
}
|
|
//END DoesAnonymousHaveEveryoneAccess
|