Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Automating DCOM settings

2 views
Skip to first unread message

John

unread,
Jun 24, 2004, 7:49:12 PM6/24/04
to
I would like to automate the changes that are required for our DCOM
server using the access-control API. The code will execute during the
program's installation.

If the user is using peer-to-peer workgroup networking, it is required
to make settings to the machine DCOM defaults.

DCOM Settings:
Default Authentication Level: None
COM Security Default Access Permissions:
Access permitted to \Everyone
Access permitted to NT AUTHORITY\INTERACTIVE
Access permitted to NT AUTHORITY\NETWORK
Access permitted to NT AUTHORITY\SYSTEM
COM Security Default Launch Permissions:
Launch permitted to \Everyone
Launch permitted to NT AUTHORITY\INTERACTIVE
Access permitted to NT AUTHORITY\NETWORK
Launch permitted to NT AUTHORITY\SYSTEM


Below I post some code that I thought would be enough to set these
machine defaults. Unfortunately, although things look good in dcomcnfg
after running this code, it seems to have permanently corrupted DCOM and
Windows to the point that the only recovery is to reinstall Windows. Can
anyone see what is missing?

My concerns are:
1) Is it ok to allocate the absolute SD with
SECURITY_DESCRIPTOR* psdAbsolute =
(SECURITY_DESCRIPTOR*)malloc(sizeof(SECURITY_DESCRIPTOR));
before calling InitializeSecurityDescriptor?

2) Do I need to give the SD more properties, for instance an owner. If
it needs an owner who/what should it be?

Thanks


ASCINST_API void WINAPI
DoDCOMConfigServerWG(LPCTSTR serverName)
{
BOOL test = FALSE; //debug
/*
Registry entries

Machine Default AuthenticationLevel=None
Machine Default LaunchPermission={self-relative security descriptor}
Machine Default AccessPermission={self-relative security descriptor}
*/

// generate the entries for the ACL to be used for Access and Launch
permissions
EXPLICIT_ACCESS ea[4];
for( int i=0; i<4; i++ )
{
ZeroMemory(&ea[i], sizeof(EXPLICIT_ACCESS));
ea[i].grfAccessPermissions = 1; //COM_RIGHTS_EXECUTE;
ea[i].grfAccessMode = GRANT_ACCESS;
ea[i].grfInheritance= SUB_CONTAINERS_AND_OBJECTS_INHERIT;

ea[i].Trustee.pMultipleTrustee = NULL;
ea[i].Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;

switch (i)
{
case 0:
ea[i].Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea[i].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[i].Trustee.ptstrName = _T("EVERYONE");
break;
case 1:
ea[i].Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea[i].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[i].Trustee.ptstrName = _T("SYSTEM");
break;
case 2:
ea[i].Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea[i].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[i].Trustee.ptstrName = _T("NETWORK");
break;
case 3:
ea[i].Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea[i].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[i].Trustee.ptstrName = _T("INTERACTIVE");
break;
}
}

// we need to create a self-relative security descriptor that will be
stored in the registry.
// if all goes well setting up the security descriptor, continue with
the DCOM configuration
ACL* pACL = NULL;
SECURITY_DESCRIPTOR* psdAbsolute =
(SECURITY_DESCRIPTOR*)malloc(sizeof(SECURITY_DESCRIPTOR));
SECURITY_DESCRIPTOR* psdSelfRelative = NULL;

HKEY key = 0;
DWORD AuthLevel = 0;

if (SetEntriesInAcl(4, &ea[0], NULL, &pACL) == ERROR_SUCCESS)
{
test = IsValidAcl(pACL); //debug
if( ::InitializeSecurityDescriptor(psdAbsolute,
SECURITY_DESCRIPTOR_REVISION) )
{
test = IsValidSecurityDescriptor(psdAbsolute); //debug
if( ::SetSecurityDescriptorDacl(psdAbsolute, TRUE, pACL, FALSE) )
{
test = IsValidSecurityDescriptor(psdAbsolute); //debug
DWORD sdSize = 0;
::MakeSelfRelativeSD(psdAbsolute, psdSelfRelative, &sdSize);
psdSelfRelative = (SECURITY_DESCRIPTOR*) malloc(sdSize);
if( ::MakeSelfRelativeSD(psdAbsolute, psdSelfRelative, &sdSize) )
{
test = IsValidSecurityDescriptor(psdSelfRelative); //debug
// we have now succesfully created a self-relative security
descriptor which contains our ACL

if( ::RegOpenKeyEx(HKEY_LOCAL_MACHINE,
_T("Software\\Microsoft\\Ole"), 0,
KEY_ALL_ACCESS, &key) == ERROR_SUCCESS )
{
// set the machine default LaunchPermission
::RegSetValueEx(key, _T("DefaultLaunchPermission"), 0,
REG_BINARY,
reinterpret_cast<const BYTE*>(psdSelfRelative),
GetSecurityDescriptorLength(psdSelfRelative));

// set the machine default AccessPermission
::RegSetValueEx(key, _T("DefaultAccessPermission"), 0,
REG_BINARY,
reinterpret_cast<const
BYTE*>(psdSelfRelative),
GetSecurityDescriptorLength(psdSelfRelative));

// set the machine default AuthenticationLevel
DWORD AuthLevel = 1; // None

::RegSetValueEx(key, _T("LegacyAuthenticationLevel"), 0,
REG_DWORD,
reinterpret_cast<const BYTE*>(&AuthLevel),
sizeof(DWORD));

// close the key
::RegCloseKey(key);
}
}
}
}
}

// cleanup
if( pACL )
LocalFree((HLOCAL) pACL);
if( psdAbsolute )
free(psdAbsolute);
if( psdSelfRelative )
free(psdSelfRelative);
}

John Phillips

unread,
Jun 25, 2004, 8:59:10 AM6/25/04
to
Google for DCOMPerm. Some versions are reported to be a tad on the buggy
side, but I've used it in the past, and it works well enough.

--
John Phillips
MVP - Windows SDK

"John" <n...@spam.com> wrote in message
news:%23wRIcXk...@TK2MSFTNGP09.phx.gbl...

0 new messages