Its some time that I have written something.. I wouldn't say I was so busy that I couldn't post even once.. Point No 1: a bit lazy these days :-) and point 2.. I was a bit busy.. :-)
This time around I will be discussing a bit on the Windows Access Control Entries...
Every securable object in windows do have a security descriptor associated with it. the object could be vary from file to a service.
The windows built in sc command has an option to list the security descriptor of the service..
Here is how you can do this..
cmd -> sc sdshow <service_name>
and example would be
sc sdshow wuauserv
Where wuauserv is the service name for windows update agent.
The output of the command would look like some thing like this..
D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
If you are sure what you are doing, you may set the security descriptor with the
sc sdset <service_name> <security_descriptor>
Note: do this if you are really sure what you are doing..
Now lets analyze the output of the sc sdshow wuauserv command.
Format
D:dacl_flags(string_ace1)(string_ace2)(string_ace3).....(string_acen)
D: -> DACL Entry ( other possibilities are S: -> SACL O: -> Owner G: -> Primary Group )
Format of (string_ace1)
(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
(string_ace1)
(A;;CCLCSWRPLORC;;;AU)
ace_type = A
A - SDDL_ACCESS_ALLOWED
ace_flags = blank here
rights : CCLCSWRPLORC
CC: SDDL_CREATE_CHILD
LC: SDDL_LIST_CHILDREN
SW: SDDL_SELF_WRITE
RP: SDDL_READ_PROPERTY
LO: SDDL _LIST_OBJECT
RC: READ_CONTROL
object_guid: blank in this case
inherit_object_guid : blank here
account_sid : AU
AU - SDDL_AUTHENTICATED_USERS
(string_ace2)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
ace_type = A
A - SDDL_ACCESS_ALLOWED
ace_flags = blank in this case
rights : CCDCLCSWRPWPDTLOCRSDRCWDWO
CC: SDDL_CREATE_CHILD
DC: SDDL_DELETE_CHILD
LC: SDDL_LIST_CHILDREN
SW: SDDL_SELF_WRITE
RP: SDDL_READ_PROPERTY
WP: SDDL_WRITE_PROPERTY
DT: SDDL_DELETE_TREE
LO: SDDL _LIST_OBJECT
CR: SDDL_CONTROL_ACCESS
SD: SDDL_STANDARD_DELETE
RC: SDDL_READ_CONTROL
WD: SDDL_WRITE_DAC
WO: SDDL_WRITE_OWNER
object_guid: blank in this case
inherit_object_guid : blank in this case
account_sid : BA
BA - SDDL_BUILTIN_ADMINISTRATORS
(string_ace3)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
ace_type = A
A - SDDL_ACCESS_ALLOWED
ace_flags = blank in this case
rights : CCDCLCSWRPWPDTLOCRSDRCWDWO
CC: SDDL_CREATE_CHILD
DC: SDDL_DELETE_CHILD
LC: SDDL_LIST_CHILDREN
SW: SDDL_SELF_WRITE
RP: SDDL_READ_PROPERTY
WP: SDDL_WRITE_PROPERTY
DT: SDDL_DELETE_TREE
LO: SDDL _LIST_OBJECT
CR: SDDL_CONTROL_ACCESS
SD: SDDL_STANDARD_DELETE
RC: SDDL_READ_CONTROL
WD: SDDL_WRITE_DAC
WO: SDDL_WRITE_OWNER
object_guid: blank in this case
inherit_object_guid : blank in this case
account_sid : BA
BA - SDDL_BUILTIN_ADMINISTRATOR
Its not so easy to decipher this always.. However we may write simple scripts to do the same.. :-) Not sure if I will be writing one..
Cheers guys.. Enjoy the weekend..
References:
SID Strings : http://msdn.microsoft.com/en-us/library/aa379602(VS.85).aspx
Security Descriptor Definition Language: http://msdn.microsoft.com/en-us/library/aa379567(VS.85).aspx
Security Descriptor String Format : http://msdn.microsoft.com/en-us/library/aa379570(VS.85).aspx
ACE_HEADER Structure : http://msdn.microsoft.com/en-us/library/aa374919(VS.85).aspx
ACE Strings: http://msdn.microsoft.com/en-us/library/aa374928(VS.85).aspx
No comments:
Post a Comment