Want to learn the Windows access control subsystem in two hours? Moreover, to know this topic as no one of your teachers knows? Wondering how to use the Windows API function with the longest name - AccessCheckByTypeResultListAndAuditAlarmByHandle? And see the code that creates undocumented Windows structures? Then you are here!
The article presents a description of the library and a set of tests that will allow any user to study the Windows access control subsystem as fully as possible with a fairly small initial knowledge. The issues of working with DACL, SACL, Conditional ACE, mandatory integrity checking and many others are considered. Tests allow the user to arbitrarily change the input data and independently modify them for a more detailed study of the topics necessary for a particular user. The presented library will allow you to parse and create all the internal structures of the Windows security subsystem, and also allows you to create "access tokens" with arbitrary initial data.
A long time ago, I started learning about the Windows security subsystem. I read excellent books, but each book should be backed up first of all by practice. This is how I began my practical experiments. First of all, I started with a standard technique: creating a certain file structure with several nested levels (directories). At the initial stages of the study, such an "experimental site" was enough. However, when I moved on to learning about DAC (Dynamic Access Control), the test "site" became much more complicated: I already had to deploy several virtual machines, one of which was Windows Server, and the other was a regular client OS. Here, it was already required to study the process of configuring many Windows Server subsystems, which somewhat distracted from the original task: the study of the security subsystem.In the end, I had a fairly developed library written that allowed me to get in a convenient form for me all the values of various structures related to the Windows security subsystem, and also for most of them - also create them from previously saved values. But one day I came up with an idea that radically changed (and greatly simplified) my whole approach to studying this topic.
, , , , , . Microsoft .
, Windows – : «» (access token) « » (security descriptor a.k.a. SD). , , – . /, Windows , . : 1) ; 2) ; 3) . , - – . , , .
- . , «Run As Administrator». Visual Studio. , - : SeCreateTokenPrivilege (Create a token object), SeTcbPrivilege (Act as part of the operating system), SeImpersonatePrivilege (Impersonate a client after authentication).
C++. « » , . . . , , « , , copyright». – - , Windows Access Control, , , .
, :
1. Windows ?
2. Windows API - AccessCheckByTypeResultListAndAuditAlarmByHandle?
, AccessCheckByTypeResultListAndAuditAlarmByHandle. , . AccessCheckByTypeResultListAndAuditAlarmByHandle . , , , .
3. , Windows?
Here at this link you can find a function that creates a "binary representation" for the CLAIM_SECURITY_ATTRIBUTE_V1 data type. The structure itself is documented in [MS-DTYP], but there is no description of how exactly it is represented in binary data. This structure is needed to set the "resource attributes" (the concept refers to DAC, Dynamic Access Control) for the security descriptor (for example, to set the resources for a file).