The Windows Access Control Model Part 3

oshah

Rate me:

4.80/5 (28 votes)

1 Jul 200525 min read

232.5K

5.2K

126

In the third part of this series, we will take a tour of the new access control classes coming in .NET v2.0.

accesscontrolnet.zip
- NetAccessControl.txt
- NetAccessControl
  - AboutBox1.cs
  - AboutBox1.Designer.cs
  - AboutBox1.resx
  - AccCheckFrm.cs
  - AccCheckFrm.Designer.cs
  - AccCheckFrm.resx
  - AccessCheck.cs
  - app.config
  - bin
    - Release
      - AccessToken.dll
      - NetAccessControl.exe
      - NetAccessControl.exe.config
  - DACLForm.cs
  - DACLForm.Designer.cs
  - DACLForm.resx
  - Inheritance.cs
  - Inheritance.Designer.cs
  - Inheritance.resx
  - LowerRights.cs
  - LowerRights.Designer.cs
  - LowerRights.resx
  - MainMenu.cs
  - MainMenu.Designer.cs
  - MainMenu.resx
  - NetAccessControl.csproj
  - NetAccessControl.sln
  - NetAccessControl.txt
  - Program.cs
  - Properties
    - AssemblyInfo.cs
    - Resources.Designer.cs
    - Resources.resx
    - Settings.Designer.cs
    - Settings.settings
  - ReadSD.cs
  - ReadSD.Designer.cs
  - ReadSD.resx
  - ReadToken.cs
  - ReadToken.Designer.cs
  - ReadToken.resx
  - SACLForm.cs
  - Safer.cs
  - ViewSids.cs
  - ViewSids.Designer.cs
  - ViewSids.resx
accesstoken.zip
- AccessToken.txt
- AccessToken
  - AccessToken.cpp
  - AccessToken.h
  - AccessToken.rc
  - AccessToken.sln
  - AccessToken.vcproj
  - AssemblyInfo.cpp
  - mykey.snk
  - Release
    - AccessToken.dll
    - TokenTest.exe
  - resource.h
- TokenTest
  - app.ico
  - AssemblyInfo.cpp
  - TokenTest.cpp
  - TokenTest.vcproj

��The programs in this environment are based on the Codeproject series:



The Windows Access Control Model. 

http://www.codeproject.com/win32/accessctrl1.asp



These programs are from part 3 of the series.



It consists of the following programs:



ViewSids.cs [Translate Sids To User Name]

---------------------------------------------



This program is a program that can translate between user names and SIDs. To use 

the program, type in the user name in the first text box, then click Translate 

Sids. The second text box will be populated with your SID. You can also 

translate SIDs to user names by typing the SID into the second box.



ReadToken.cs [Read Token]

---------------------------------------------



This is a GUI version of Whoami (whoami is a tiny utility from the Windows 

Resource Kit). The program starts by enumerating the list of processes. Double 

click on any process to see its process token. Examples of what you can obtain 

from the process token are the user who started the process, the list of groups 

the user belongs to, and the list of privileges available to the process. If you 

don't have the necessary access rights, an error message will appear in the 

status bar.



LowerRights.cs [Create Unprivileged User]

---------------------------------------------



In windows XP and 2003, a new option was added to the "Run As..." dialog called 

"Protect my computer and data from unauthorized program activity". This option 

removes most of the privileges from the process token, and replaces the group 

SIDs with deny-only SIDs. The result is a restricted process, unable to perform 

much damage to your computer. LowerRights demonstrates how to use the SAFER 

policies to duplicate this feature. It presents a run dialog box that makes the 

application start up with reduced privileges.



ReadSD.cs [Security Descriptor Factory]

---------------------------------------------



This is a registry security descriptor editor that can edit the security of 

remote registry keys. It demonstrates the new security descriptor classes 

available for .NET v2.0. Try not to use this program in production environments 

because it has not been thoroughly tested. If you want to edit registry security 

descriptors, use regedt32 instead. This program doesn't actually edit 

the security descriptor of your objects until you press Apply in the main form. 

In order for the registry write to work, you need to have made a change in the 

security descriptor (which cannot have invalid changes), previewed the change in 

SDDL form, have suitable rights to alter the security descriptor, and have 

enabled an app.config property. If one of these conditions is not met, the 

registry write fails and you aren't allowed to write the security descriptor.



AccCheckFrm.cs [Access Check]

---------------------------------------------



Use this program to check if you are allowed to access a registry key. Type in 

the name of the registry key, and type in a hex number that corresponds to your 

desired action, and press the AccessCheck button. If you are allowed to perform 

this action, then true is returned in the status bar. If access is going to be

denied, false is returned. If you don't want to rely on the Win32 AccessCheck

API to perform the check, press the Manual check button--AccCheckFrm will

perform the access check using its own [broken] algorithm.



Here are the hex numbers for registry access:

QueryValues = 0x1,

SetValue = 0x2,

CreateSubKey = 0x4,

EnumerateSubKeys = 0x8,

Notify = 0x10,

CreateLink = 0x20,

Delete = 0x10000,

ReadPermissions = 0x20000,

WriteKey = 0x20006,

ExecuteKey = 0x20019,

ReadKey = 0x20019,

ChangePermissions = 0x40000,

TakeOwnership = 0x80000,

FullControl = 0xf003f.



AboutBox1.cs [About]

---------------------------------------------



Displays some information about the programs.



Exit [Exit]

---------------------------------------------



Exits the program. You can also exit by closing the main menu.













Classes

---------------------------------------------

The project makes use of the following class library from AccessToken



ManagedTokenHandle: A wrapper class for "automatic" access token management.



SAFER: A port of the SaferRaiiWrapper class (see "The Windows Access Control 

Model Part 2") to .NET. It currently uses its own implementation of 

CreateProcessAsUser, since Process.Start doesn't quite support starting by token 

(even in .NET v2.0)



AccessToken: a port of ATL::CAccessToken to .NET (half-complete).



AccessToken.AccessToken

---------------------------------------------



This reusable class is based on the data from "The Windows Access Control Model - Part 3",

and modelled after the ATL class library.



This class extends the WindowsIdentity class to make it as functional as CAccessToken

(apart from the userprofile/impersonation stuff).



Error codes have been shunned for Exceptions.





Static Methods:

To construct an access token, you will need to an access token to the process. Use this static

function to obtain an access token from a Process.Handle:

ManagedTokenHandle GetAccessToken(IntPtr processHandle = 0, TokenAccessLevels dwDesiredAccess);





Public methods:

void GetEffectiveToken(TokenAccessLevels dwDesiredAccess);

void GetProcessToken(TokenAccessLevels dwDesiredAccess, IntPtr hProcess = 0);

void OpenThreadToken(TokenAccessLevels dwDesiredAccess, bool bImpersonate = false, bool bOpenAsSelf = true, TokenImpersonationLevel Impersonator = Impersonation);

void GetThreadToken(TokenAccessLevels dwDesiredAccess, IntPtr hThread = 0, bool bOpenAsSelf = true);

void SetPrivilege(String privilegeName, bool bEnable);

NameValueCollection GetPrivileges();



These functions have the same definitions as they do in ATL.



Public Properties:

IntPtr Token;

RawAcl DefaultDacl;

SecurityIdentifier PrimaryGroup;

TOKEN_TYPEEnum Type;

Int64 LogonSessionId;

unsigned long TerminalServicesSessionId;



The following helper classes were needed to create AccessToken.



enum TOKEN_TYPEEnum;

/* Marshaller for TOKEN_TYPE. */



class ManagedTokenHandle : SafeHandle;

/* Automatic Handle management for the access token.  */









Usage.

---------------------------------------------



CodeProject has a policy (http://www.codeproject.com/info/faq.asp)

that governs the copyright of projects posted at its site. This

program bears that copyright.







Requirements.

---------------------------------------------

These programs require v2.0 of the .NET framework to run. They will not run

or compile on older versions. With the exception of AccessToken.AccessToken,

these programs were written using Microsoft Visual C# 2005 Express Edition Beta

2. AccessToken.AccessToken is written in C++/CLI and was compiled with

Microsoft Visual C++ 2005 Express Edition Beta 2.



For more information about these programs and the class library, refer to the

following Codeproject article: The Windows Access Control Model Part 3 @ 

http://www.codeproject.com/

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

Written By

oshah

Web Developer

United States

Mr. Shah is a reclusive C++/C# developer lurking somewhere in the depths of the city of London. He learnt physics at Kings' College London and obtained a Master in Science there. Having earned an MCAD, he teeters on the brink of transitioning from C++ to C#, unsure of which language to jump to. Fortunately, he also knows how to use .NET interop to merge code between the two languages (which means he won't have to make the choice anytime soon).

His interests (apart from programming) are walking, football (the real one!), philosophy, history, retro-gaming, strategy gaming, and any good game in general.

He maintains a website / blog / FAQ / junk at shexec32.serveftp.net, where he places the best answers he's written to the questions you've asked. If you can find him, maybe you can hire Mr. Shah to help you with anything C++[/CLI]/C#/.NET related Smile | :)

The Windows Access Control Model Part 3

License

Comments and Discussions