![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to readme.txt CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [WindowsNT SDKs] / q_a / samples / check_sd|
Return to readme.txt CVS log | Up to [WindowsNT SDKs] / q_a / samples / check_sd |
1.1 root 1: Sample: Demonstration of Code to Examine SD's (Security Descriptors)
2:
3: Summary: In the Win32 .hlp file, if you click on Search, goto
4: "Security Overview", then choose from the list of topics under
5: Security Overview the sub-topic "Allowing Access", you'll find
6: the comment
7:
8: Note: It is fine to write code like this that builds security
9: descriptors from scratch. It is, however, a good practice
10: for people who write code that builds or manipulates
11: security descriptors to first write code that explores the
12: default security descriptors that Windows NT places on
13: objects. For example, if Windows NT by default includes in
14: a DACL an ACE granting the Local Logon SID certain access,
15: it's good to know that, so that a decision not to grant any
16: access to the Local Logon SID would be a conscious decision
17:
18: Purpose of this sample: The comment in the .hlp file is accurate,
19: however, for many people this task of examining the SD is easier
20: if there is sample code to start from. So, the purpose of this
21: sample is to assist people by providing sample code people can
22: start from as they examine SD(s). This sample as is examines
23: the SD on files, and this code can be modified to examine the SD
24: on other objects
25:
26: This sample is not a supported utility
27:
28: To run: Type Check_sd to check the SD on the \\.\A: device
29:
30: Type Check_sd d:\a.fil to check the SD on the d:\a.fil
31: file. In this case d: must be formatted NTFS,
32: because only NTFS files have SD(s)
33:
34: Further notes:
35:
36: - If you recompile with this define set like this
37:
38: #define I_DO_NOT_WANT_THIS_CODE_TO_CLUTTER_THIS_PROGRAM_S_OUTPUT (1==0)
39:
40: and re-run the program, the program will produce a lot more
41: output, including displaying all the info you can access in
42: a Win32 program from the process's Access Token, and the
43: SD's of some sample objects
44:
45: - If you logon, run with the program built to produce the extra
46: output as mentioned just above, save that output to a file,
47: then log off and re-run the program, save the output of this
48: second run to a different file, you can with WinDiff easily
49: observe how the local logon SID really does change values for
50: each logged on session
51:
52: - A sample test you could run to exercise DACLs involves using the
53: \q_a\samples\sd_flppy sample in conjunction with this check_sd
54: sample
55:
56: - Log on to a machine as a local Administrator
57: - Do
58: check_sd \\.\A: >out_bef.a
59: check_sd \\.\B: >out_bef.b
60: - Logoff
61: - Log on the same machine as Guest on the local machine domain
62: - Do
63: sd_flppy
64: - Try
65: dir a: (observe access denied)
66: dir b: (observe access denied)
67: copy config.sys a:\ (get device not found)
68: copy config.sys b:\ (get device not found)
69: - Logoff
70: - Log on the same machine as a local Administrator
71: - Do
72: check_sd \\.\A: >out_aft.a
73: check_sd \\.\B: >out_aft.b
74: - Browse the differences between out_bef.* and out_aft.*
75:
76: - The above sample test demonstrates that the ACLs that sd_flppy
77: applies survive logoffs. To demonstrate the DACLs do not
78: survive rebooting, simply reboot, log back on as a local
79: Administrator, and
80: check_sd \\.\A: >out_rbt.a
81: check_sd \\.\B: >out_rbt.b
82: to see the DACLs are again as they were in
83: out_bef.a
84: out_bef.b
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.