Automating DCOM settings

• Previous message: Randy Riggins: "How to use a DirectShow filter without registration?"
• Next in thread: John Phillips: "Re: Automating DCOM settings"
• Reply: John Phillips: "Re: Automating DCOM settings"
• Messages sorted by: [ date ] [ thread ]

Date: Thu, 24 Jun 2004 16:49:12 -0700

I would like to automate the changes that are required for our DCOM
server using the access-control API. The code will execute during the
program's installation.

If the user is using peer-to-peer workgroup networking, it is required
to make settings to the machine DCOM defaults.

DCOM Settings:
     Default Authentication Level: None
     COM Security Default Access Permissions:
         Access permitted to \Everyone
         Access permitted to NT AUTHORITY\INTERACTIVE
         Access permitted to NT AUTHORITY\NETWORK
         Access permitted to NT AUTHORITY\SYSTEM
     COM Security Default Launch Permissions:
         Launch permitted to \Everyone
         Launch permitted to NT AUTHORITY\INTERACTIVE
         Access permitted to NT AUTHORITY\NETWORK
         Launch permitted to NT AUTHORITY\SYSTEM

Below I post some code that I thought would be enough to set these
machine defaults. Unfortunately, although things look good in dcomcnfg
after running this code, it seems to have permanently corrupted DCOM and
Windows to the point that the only recovery is to reinstall Windows. Can
anyone see what is missing?

My concerns are:
1) Is it ok to allocate the absolute SD with
SECURITY_DESCRIPTOR* psdAbsolute =
(SECURITY_DESCRIPTOR*)malloc(sizeof(SECURITY_DESCRIPTOR));
before calling InitializeSecurityDescriptor?

2) Do I need to give the SD more properties, for instance an owner. If
it needs an owner who/what should it be?

Thanks

ASCINST_API void WINAPI
DoDCOMConfigServerWG(LPCTSTR serverName)
{
   BOOL test = FALSE; //debug
   /*
     Registry entries

     Machine Default AuthenticationLevel=None
     Machine Default LaunchPermission={self-relative security descriptor}
     Machine Default AccessPermission={self-relative security descriptor}
   */

   // generate the entries for the ACL to be used for Access and Launch
permissions
   EXPLICIT_ACCESS ea[4];
   for( int i=0; i<4; i++ )
   {
     ZeroMemory(&ea[i], sizeof(EXPLICIT_ACCESS));
     ea[i].grfAccessPermissions = 1; //COM_RIGHTS_EXECUTE;
     ea[i].grfAccessMode = GRANT_ACCESS;
     ea[i].grfInheritance= SUB_CONTAINERS_AND_OBJECTS_INHERIT;

     ea[i].Trustee.pMultipleTrustee = NULL;
     ea[i].Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;

     switch (i)
     {
     case 0:
       ea[i].Trustee.TrusteeForm = TRUSTEE_IS_NAME;
       ea[i].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
       ea[i].Trustee.ptstrName = _T("EVERYONE");
       break;
     case 1:
       ea[i].Trustee.TrusteeForm = TRUSTEE_IS_NAME;
       ea[i].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
       ea[i].Trustee.ptstrName = _T("SYSTEM");
       break;
     case 2:
       ea[i].Trustee.TrusteeForm = TRUSTEE_IS_NAME;
       ea[i].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
       ea[i].Trustee.ptstrName = _T("NETWORK");
       break;
     case 3:
       ea[i].Trustee.TrusteeForm = TRUSTEE_IS_NAME;
       ea[i].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
       ea[i].Trustee.ptstrName = _T("INTERACTIVE");
       break;
     }
   }

   // we need to create a self-relative security descriptor that will be
stored in the registry.
   // if all goes well setting up the security descriptor, continue with
the DCOM configuration
   ACL* pACL = NULL;
   SECURITY_DESCRIPTOR* psdAbsolute =
(SECURITY_DESCRIPTOR*)malloc(sizeof(SECURITY_DESCRIPTOR));
   SECURITY_DESCRIPTOR* psdSelfRelative = NULL;

   HKEY key = 0;
   DWORD AuthLevel = 0;

   if (SetEntriesInAcl(4, &ea[0], NULL, &pACL) == ERROR_SUCCESS)
   {
     test = IsValidAcl(pACL); //debug
     if( ::InitializeSecurityDescriptor(psdAbsolute,
SECURITY_DESCRIPTOR_REVISION) )
     {
       test = IsValidSecurityDescriptor(psdAbsolute); //debug
       if( ::SetSecurityDescriptorDacl(psdAbsolute, TRUE, pACL, FALSE) )
       {
         test = IsValidSecurityDescriptor(psdAbsolute); //debug
         DWORD sdSize = 0;
         ::MakeSelfRelativeSD(psdAbsolute, psdSelfRelative, &sdSize);
         psdSelfRelative = (SECURITY_DESCRIPTOR*) malloc(sdSize);
         if( ::MakeSelfRelativeSD(psdAbsolute, psdSelfRelative, &sdSize) )
         {
           test = IsValidSecurityDescriptor(psdSelfRelative); //debug
           // we have now succesfully created a self-relative security
descriptor which contains our ACL

           if( ::RegOpenKeyEx(HKEY_LOCAL_MACHINE,
_T("Software\\Microsoft\\Ole"), 0,
                              KEY_ALL_ACCESS, &key) == ERROR_SUCCESS )
           {
             // set the machine default LaunchPermission
            ::RegSetValueEx(key, _T("DefaultLaunchPermission"), 0,
REG_BINARY,
                            reinterpret_cast<const BYTE*>(psdSelfRelative),
                            GetSecurityDescriptorLength(psdSelfRelative));

             // set the machine default AccessPermission
             ::RegSetValueEx(key, _T("DefaultAccessPermission"), 0,
REG_BINARY,
                             reinterpret_cast<const
BYTE*>(psdSelfRelative),
                             GetSecurityDescriptorLength(psdSelfRelative));

             // set the machine default AuthenticationLevel
             DWORD AuthLevel = 1; // None

             ::RegSetValueEx(key, _T("LegacyAuthenticationLevel"), 0,
REG_DWORD,
                             reinterpret_cast<const BYTE*>(&AuthLevel),
                             sizeof(DWORD));

             // close the key
             ::RegCloseKey(key);
           }
         }
       }
     }
   }

   // cleanup
   if( pACL )
     LocalFree((HLOCAL) pACL);
   if( psdAbsolute )
     free(psdAbsolute);
   if( psdSelfRelative )
     free(psdSelfRelative);
}

• Previous message: Randy Riggins: "How to use a DirectShow filter without registration?"
• Next in thread: John Phillips: "Re: Automating DCOM settings"
• Reply: John Phillips: "Re: Automating DCOM settings"
• Messages sorted by: [ date ] [ thread ]