|
Introduction
This class library allows access to the Win32 security calls in a .NET friendly way. It encapsulates the concepts of a user, a securable object (like a file, named pipe, directory, etc.), and permissions. This library was written in Managed C++ to simplify the amount of work needed to link to existing Win32
libraries. However, since it exposes all of its functionality via .NET, it can be used from any .NET compliant language, including C# and Visual Basic. The project was written and compiled with Visual Studio 2002.
NOTE: There is a library written by some Microsoft guys on GotDotNet that does much of the same thing and more. It can be found at http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=e6098575-dda0-48b8-9abf-e0705af065d9.
This article outlines the primary objects in the library and their use in manipulating security objects.
Documentation
WindowsUser class
This class represents a single Windows identity (SID). It can be created by
specifying either a username ("DOMAIN\user" format) or the string representation
of a SID ("S-1-5-xxxx-xxx..."). You can also get the identity of the current
user using the static property CurrentUser.
There are a number of predefined identities that exist as static members of a
child class called WellKnownIdentities. Once you have an identity,
you can get the following properties:
AccountName: string name of the accountDomain: string name of the account's domainFullName: string in the form of "Domain\AccountName"SidString: string representation of the SID
SecuredObject class
This class represents an object which can have a security descriptor. It can
be created by specifying the name of the resource along with its type or by
passing a handle (as an IntPtr) to the resource.
Once you have the object, you can update the permissions, audit information,
owner and group.
PermissionsList
This class encapsulates actions on the ACL. It allows granting, revoking,
changing, and denying access levels to different users. Derived from
AccessList, which is a collection class for AccessEntry.
AuditingList
This class encapsulates actions on the auditing list of an object. It allows
getting and setting audit success and failure rights. Derived from
AccessList, which is a collection class for AccessEntry.
AccessEntry
This class encapsulates the Access Control Entry or ACE. You can set the
user (trustee) and the associated rights and inheritance.
Example
This code shows the library in action. It assumes you have aliased the Microsoft.Win32.Security namespace (using in C#, Imports in VB).
WindowsUser user = WindowsUser.CurrentUser;
Console.WriteLine("{0} ({1})", user.FullName, user.SidString);
WindowsUser duser = new WindowsUser(
System.Security.Principal.WindowsIdentity.GetCurrent().Token);
Console.WriteLine(duser.FullName);
if (user == duser)
Console.WriteLine("Same");
else
Console.WriteLine("Different");
user = WindowsUser.WellKnownIdentities.World;
Console.WriteLine(user.FullName);
WindowsUser kuser = new WindowsUser("user2", @"\\MYPDC");
Console.WriteLine(kuser.FullName);
user = new WindowsUser("DOMAIN\\user3");
Console.WriteLine(user.FullName);
user = new WindowsUser("S-1-5-21-21782756-1035017279-1439700725-1111");
Console.WriteLine(user.FullName);
SecuredObject sec = new SecuredObject("C:\\", SecuredObjectType.FileObject);
DumpObject(sec);
// Set some various permissions on the directory
sec.Permissions.SetAccess(kuser, AccessRights.FileRead,
AceInheritanceFlags.ContainerInherit|AceInheritanceFlags.ObjectInherit);
sec.Permissions.GrantAccess(kuser, AccessRights.FileExecute,
AceInheritanceFlags.ContainerInherit|AceInheritanceFlags.ObjectInherit);
sec.Permissions.DenyAccess(kuser, AccessRights.FileWriteUnsync,
AceInheritanceFlags.ContainerInherit|AceInheritanceFlags.ObjectInherit);
WindowsUser owner = sec.Owner;
sec.Owner = duser;
sec.Auditing.SetAuditFailure(duser, AccessRights.FileReadUnsync,
AceInheritanceFlags.ContainerInherit|AceInheritanceFlags.ObjectInherit);
DumpObject(sec);
// Revoke some access
sec.Permissions.RevokeAccess(kuser);
sec.Owner = owner;
DumpObject(sec) ;
// Reset the security on the directory
sec.Permissions.Clear();
sec.Permissions.InheritFromParent = true;
DumpObject(sec);
// Write the DACL using the Microsoft style
Console.WriteLine(sec.ToString());
The following function shows how to enumerate the permissions on a security
object.
static void DumpObject(SecuredObject sec)
{
Console.WriteLine("Security description:");
Console.WriteLine("=====================");
Console.WriteLine("Owner: {0}\nGroup: {1}",
sec.Owner.FullName, sec.Group.FullName);
Console.WriteLine("Permissions:");
foreach (AccessEntry ace in sec.Permissions)
Console.WriteLine(String.Format(" {0} : {1} : {2}",
ace.Trustee.FullName,
ace.Inheritance, ace.Rights));
Console.WriteLine("Auditing:");
foreach (AccessEntry ace in sec.Auditing)
Console.WriteLine(String.Format(" {0} : {1} : {2}",
ace.Trustee.FullName,
ace.Inheritance, ace.Rights));
}
| You must Sign In to use this message board. |
|
| | Msgs 1 to 25 of 99 (Total in Forum: 99) (Refresh) | FirstPrevNext |
|
 |
|
|
Hi folks I am a sporadic Dot Net developer and haven't worked for about half a year with VS2005.
So forgive me my question:
To use the mmsseclib.dll do I have to use regasm?
Anything else to do before I can use mmsseclib (using mmsseclib)?
BTW: I want to use mmsseclib to give a web server on the fly the rights for a certain directory so that it can create a text file in it, when needed.
Any experiences how to do that/an example?
Best
JL
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
My feeling is that this section of codeproject is dead.
As since march 2006 no answeres are visible.
Maybe the author passed away.
R.I.P.
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
There are still some console freaks like me (system administrators) out there that have used MS tools like (X)Cacls to automate several tasks. But due to several problems with (X)Cacls I had to resort to manual labour  . But here it is!! A great library of David Hall! Have created a shell around it to make it more coworker friendly:->. You can find it on LiQuick.net. When all bugs are out, I'll try to write an add-on article to this page. Code of the console can be requested for by e-Mail.
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
Hi there,
I'm tring to compile the TestSec.cs using C# compiler, but no matter what I do, I allways get the same error:
The type or namespace name 'mmsseclib' could not be found (are you missing a using directive or an assembly reference?)
But the refence was there. I had copy the mmsseclib.dll to the same folder of TestSec.cs, access the command prompt, go to path of the TestSec.cs and mmsseclib.dll and type:
csc /target:exe /r:mmsseclib.dll TestSec.cs
How I can reference the dll to compile the program? 
Eduardo
tw latin america
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
David, can I use your nice and straightforward dll in the commercial product? What I shall do for that?
Dmitry.
|
| Sign In·View Thread·PermaLink | 2.00/5 (1 vote) |
|
|
|
|
|
|
Hi,
I have an asp application that needs to launch PowerPoint.
At installation, i would like to give the "ASPNET" account the ability to launch and execute
Powerpoint.
I tried with the following code below but It just allows this account to "read" the registry key.
Do you have any idea or where to modify to allow "Execution" from "ASPNET" account ?
Thanks.
Karim
WindowsUser kuser = new WindowsUser("ASPNET");
Console.WriteLine(kuser.FullName);
SecuredObject sec =null
string skey=@"Software\Classes\AppID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}";
IntPtr hKey;
int rc = Win32.RegOpenKey(Win32.HKEY_LOCAL_MACHINE,skey, out hKey);
if (rc == 0)
{
sec = new SecuredObject(hKey, SecuredObjectType.RegistryKey);
DumpObject(sec);
sec.Permissions.SetAccess(kuser, AccessRights.GenericExecute,AceInheritanceFlags.ContainerInherit|AceInheritanceFlags.ObjectInherit);
// below is some tests
//sec.Permissions.SetAccess(kuser, AccessRights.KeyAllAccess, AceInheritanceFlags.ContainerInherit|AceInheritanceFlags.ObjectInherit);
//sec.Permissions.SetAccess(kuser, AccessRights.FileFullControl, AceInheritanceFlags.ContainerInherit|AceInheritanceFlags.ObjectInherit);
DumpObject(sec);
Win32.RegCloseKey(hKey);
}
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
Hi there, I kept getting the following exception while attempting to load an existing user.
System.ComponentModel.Win32Exception: No mapping between account names and security IDs was done at Microsoft.Win32.Security.WindowsUser.Load(String accountName, String system) at Microsoft.Win32.Security.WindowsUser..ctor(String accountName) at RegStudent.RegisterStudent.CreateUserAccount(String username, String password, String subjectCode, String firstName, String surname, String studentDir, String virtualDir, String adminUser, String adminPass)
can anyone tell me why this is so? or what can cause this exception to occur. Many thanks
Regards
|
| Sign In·View Thread·PermaLink | 1.50/5 (2 votes) |
|
|
|
|
|
|
I had the ecxact same problem, it can be different things, but what you want to do first is to make sure the username and password matches up.
"if run from command line"
try to not enter username and password when you run the command line, then you will get a form, asking you for username and password, if you can enter username and password here, and the service installs correct, then you know that the username and password matches up. If not, then you need to figure out how to write it, it could be like this
.\administrator 'localmachine
MyDomain\administrator 'network
"Usefull solution"
I tried to print out the username and password after I putted them on my ServiceProcessInstaller.
System.Diagnostics.EventLog.WriteEntry("ServiceTest", "User:""" & Me.processInstaller.Username & """ Password:""" & Me.processInstaller.Password & """", EventLogEntryType.Warning)
If the username and password arent set properly here, you will get the Win32Exception.
My problem, was I had switched the username and password 
MrBonus
|
| Sign In·View Thread·PermaLink | 5.00/5 (1 vote) |
|
|
|
|
|
|
First off, I have to say this is awesome code. I've been searching for something to set ntfs without having to shell out for a while now and this does everything I need and more. Couldn't have been simpler. I am however having an issue using the dll in 2005. When the object is used in code I get the following error:
'mmsseclib.dll' is attempting managed execution inside OS Loader lock. Do not attempt to run managed code inside a DllMain or image initialization function since doing so can cause the application to hang.
This issue is only with 2005 and it works fine in 2003. I tried doing a simple conversion of the source to 2005 to see if that cleared the error, but the 2005 compiler threw another error compiling the dll:
Error 1 error C2872: 'FILETIME' : ambiguous symbol C:\Program Files\Microsoft Visual Studio 8\VC\PlatformSDK\include\lmaccess.h 1390
Has anyone tried this component in .Net 2.0? Any help would be greatly appreciated...
Thanks,
Landon.
|
| Sign In·View Thread·PermaLink | 5.00/5 (1 vote) |
|
|
|
|
|
|
I had the same problem when trying to compile.
Switch "FILETIME" to "System::Runtime::InteropServices::FILETIME" and it should compile for you in VS 2005.
|
| Sign In·View Thread·PermaLink | 2.00/5 (1 vote) |
|
|
|
|
|
|
following this link
http://www.be-st.it/Blog/tabid/79/EntryID/2/Default.aspx
try to set this
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework]
MDA = 0
Good luck  ))
oli
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
I installed this dll on to our Project and it works for me on XP and 2000. Afterwards there was a requirement for us to install our Project on Win NT 4.0 Sp6 application. It is crashing at this mmsseclib.dll saying advapi32.dll(system32) is giving probem.
Unless i build this dll on NT machine, I will not able to fix my problem. Since Visual Studio.NET cannot be installed on Windows NT SP6.0, Can you suggest some way around for me to build this application on Visual Studio 6.0 VC++ 6.0., so that i can add this dll on NT.
Thanks in advance,
KK
KK
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
I'm not sure it will compile without a bunch of work. It may be easier to look through the code and find any functions referenced from advapi32 that do not work under NT4 and then change that code.
- David
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
David,
Thanks for the Reply.
Can you suggest me any dll/code which works similar to your mmseclib.dll written in VisualC++ 6.0, I need similar functionality for me, but i need it visual C++6.0 so that i can build on NT and use on my project.
Thanks in Advance.
KK
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
The ATL library has much of this functionality, but I'm not sure if it was added in the 6.0 product. That is the only other source I am aware of.
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
Somebody help me correct this error. I get "Object reference not to instance of an object" and sometimes "System.OutOfMemoryException" error at the same statement.
Following is the code snippet for your reference:
private void grantRights(string grantType)
{
try
{
//Store the path of the Selected Directory
//Get the path from the type propery of the treeview control
String dirPath = @"C:\InetPub\WWWRoot\AD";
//Initialise AccessRight to 0 (none)
AccessRights rights=0;
//Get the access rights choosen by the user
//Full Control
if(grantType=="Full Control") rights = AccessRights.FileFullControl;
//Write
if(grantType=="Write") rights = AccessRights.FileWrite;
//Read Only
if(grantType=="Read Only") rights = AccessRights.FileRead;
//Create WindowUser instance to provide the Access Rights
WindowsUser user = new WindowsUser ("amol","active");
//Create SecuredObject instance to denote the selected Directory
SecuredObject sec = new SecuredObject(dirPath, SecuredObjectType.FileObject); //I SOMETIMES get above mentioned error here
//Set the rights or permissions
sec.Permissions.SetAccess(user, rights, AceInheritanceFlags.ContainerInherit|AceInheritanceFlags.ObjectInherit);
}
}
//Show success message
HandleSuccess(grantType + " Permission was given for the selected users.");
}
catch(Exception ex)
{
//Show error
HandleException(ex.Message);
}
}
The above mentioned error does not occur every time I run the code. It occurs sometimes. At other times the code works fine. I dont understand why this happens.
I am working on Active Directories. I have to provide access rights for particular users for the directories in IIS 6.0 Web Server.
I am using ASP .Net and C#, Visual Studio .Net 2003, Microsoft .Net Framework 1.1.
Please provide a solution for this as early as possible. Your help will be highly appreciated.
-Vikram Saraf
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
|
|
|
Hi,
I have not been able to figure out how to create a SecuredObject for a named pipe. I tried:
SecuredObject sec = new SecuredObject("\\\\.\\pipe\\namedpipename",SecuredObjectType.FileObject);
but I get a "The parameter is incorrect" exception.
Any suggestions?
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
David,
Thanks for posting this code, it's very useful.
I have taken over a long-running project that uses your code. Unfortunately, the original developer on this project is no longer available to answer questions. I have noticed that "our" version of the source code differs slightly from yours, and I'm wondering which is right.
In "ours", AceInheritanceFlags is of type Int16 and contains SUB_CONTAINERS_AND_OBJECTS_INHERIT. In the version currently on Code Project, AceInheritanceFlags is of type Byte, and does not contain SUB_CONTAINERS_AND_OBJECTS_INHERIT.
I'm not sure whether our version is out of date, or if the differences are bug fixes made by my predecessor. Given my description above, are you able to tell me which is correct?
Many thanks,
John
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
I checked and that enum is still a byte and I do not have that item. It must be from your predecessor. I'm guessing that he changed to a short since that will show up in VB.NET without manipulation and that flag is a combination of some others to make it easier to code.
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
|
|
|
Below is my code (written in vb.net)
'*******************************************************************************************
‘Call the setPermission procedure
setPermission(”C:\Inetpub\www\MyWebsite”, “JOP\ASPNET”)
‘And the actual method
Sub setPermission(ByRef vPath As String, ByVal UserName As String)
Dim user As WindowsUser = New WindowsUser(UserName)
Dim sec As SecuredObject = New SecuredObject(vPath, SecuredObjectType.FileObject)
sec.Permissions.GrantAccess(user, AccessRights.FileExecute, AceInheritanceFlags.ContainerInherit)
End Sub
'*******************************************************************************************
Tthe code works perfectly find, but when I check Security properties on the folder, I find that ASP.Net account has “Special Permissions” in stead of normal Read, Write and Execute permissions. I am not sure if anyway I can add Regular Read, Write and Execute permissions using the above code, as users get access denied error message when they try to upload files to the folder.
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
Windows 2000 and Windows XP/2003 store standard and recognize permission schemes differently. Read the settings using the code from an object that you have set the permissions on using the standard Windows UI tools. Using that scheme, determine how to set the flags in your code.
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
Althought I have been working on VB.net for 1 year, I am very new to Security class. I am not quite sure if I understood your answer here. Is it possible for you to post a small code snippet ( even C# code is fine).
Really appreciate your help.
Thanks
|
| Sign In·View Thread·PermaLink | 2.00/5 (1 vote) |
|
|
|
|
|
|
Set the permissions on a directory using Windows Explorer on the native system, not via a network connection. Then, from above, use the code:
SecuredObject sec = new SecuredObject(@"C:\", SecuredObjectType.FileObject);
DumpObject(sec);
and replace the @"C:\" string with the directory you just manipulated. You will see all the flags that should appear for the OS you are using.
|
| Sign In·View Thread·PermaLink | |
|
|
|
|
|
|
 General  News  Question  Answer  Joke  Rant  Admin
|
