4.10 Deciphering the security descriptor
4.10 Deciphering the security descriptor
To decipher the security descriptor, it is important to consider the object model used for its representation, because the object model organization will heavily influence the algorithm. As we have seen, sometimes we have a security descriptor represented in the WMI object model; sometimes we have a security descriptor represented in the ADSI object model. This implies that both object models referenced from Samples 4.3 through 4.13 must be handled in the script. Actually, the following portions of the code use a WMI deciphering technique:
-
Sample 4.3, "Connecting to files and folders with WMI (Part I)"
-
Sample 4.5, "Connecting to shares with WMI (Part III)"
All other portions of the code use an ADSI deciphering technique (see Sample 4.29):
-
Sample 4.4, "Connecting to files and folders with ADSI (Part II)"
-
Sample 4.6, "Connecting to shares with ADSI (Part IV)"
-
Sample 4.7, "Connecting to Active Directory objects with WMI (Part V)"
-
Sample 4.8, "Connecting to Active Directory objects with ADSI (Part VI)"
-
Sample 4.9, "Connecting to Exchange 2000 mailbox information with WMI (Part VII)"
-
Sample 4.10, "Connecting to Exchange 2000 mailbox information with ADSI (Part VIII)"
-
Sample 4.11, "Connecting to Exchange 2000 mailbox information with CDOEXM (Part IX)"
-
Sample 4.12, "Connecting to registry keys with ADSI (Part X)"
-
Sample 4.13, "Connecting to CIM repository namespaces with WMI (Part XI)"
4.10.1 Deciphering the WMI security descriptor representation
Let's start with the WMI deciphering technique. Sample 4.28 shows the logic used to decipher a WMI security descriptor representation. As we have seen at the beginning of this chapter, in Figure 4.11, the Win32_Security-Descriptor instance contains some Win32_Trustee instances (i.e., the group and the owner component) and usually one or two collections of Win32_ACE instances (i.e., DACL and SACL components), which in turn contain other Win32_Trustee instances (i.e., Trustee). With this peculiarity and the information about the nature of a WMI property (CIM type), it is possible to make use of a recursive algorithm. Each time the code encounters an object instance when it examines an instance property, the routine will call itself to decipher the instance.
Sample 4.28: Deciphering a WMI security descriptor representation
 |
.: .: .: 8:' ---------------------------------------------------------------------------------------- 9:Function DecipherWMISecurityDescriptor (objWMIInstance, _ 10: intSDType, _ 11: ByVal strIndent, _ 12: boolDecipher) ..: 19: WScript.Echo strIndent & "+- " & _ 20: objWMIInstance.Path_.Class & " " & _ 21: String (90 - Len (objWMIInstance.Path_.Class) - Len (strIndent), "-") 22: 23: Set objWMIPropertySet = objWMIInstance.Properties_ 24: For Each objWMIProperty In objWMIPropertySet 25: If Not IsNull (objWMIProperty.Value) Then 26: If objWMIProperty.CIMType = wbemCimtypeObject Then 27: If objWMIProperty.IsArray Then 28: 29: ' This is an array, we deal with the Win32_ACE 30: DisplayFormattedProperty Null, _ 31: strIndent & "| " & objWMIProperty.Name, _ 32: "(Win32_ACE)", _ 33: Null 34: For Each varElement In objWMIProperty.Value 35: DecipherWMISecurityDescriptor varElement, _ 36: intSDType, _ 37: strIndent & "| ", _ 38: boolDecipher 39: Next 40: Else 41: 42: ' This is not an array, we deal with a Win32_Trustee 43: DisplayFormattedProperty Null, _ 44: strIndent & "| " & objWMIProperty.Name, _ 45: "(Win32_Trustee)", _ 46: Null 47: DecipherWMISecurityDescriptor objWMIProperty.Value, _ 48: intSDType, _ 49: strIndent & "| ", _ 50: boolDecipher 51: End If 52: Else 53: Select Case Ucase (objWMIProperty.Name) 54:' Win32_SecurityDescriptor -------------------------------------------------------------------- 55: Case "CONTROLFLAGS" 56: If boolDecipher Then 57: DisplayFormattedProperty objWMIInstance, _ 58: strIndent & "| " & objWMIProperty.Name, _ 59: DecipherSDControlFlags (objWMIProperty.Value), _ 60: Null 61: Else 62: DisplayFormattedProperty objWMIInstance, _ 63: strIndent & "| " & objWMIProperty.Name, _ 64: "&h" & Hex (objWMIProperty.Value), _ 65: Null 66: End If 67:' Win32_ACE ----------------------------------------------------------------------------------- 68: Case "ACCESSMASK" 69: If boolDecipher Then 70: DisplayFormattedProperty objWMIInstance, _ 71: strIndent & "| " & objWMIProperty.Name, _ 72: DecipherACEMask (intSDType, objWMIProperty.Value), _ 73: Null 74: Else 75: DisplayFormattedProperty objWMIInstance, _ 76: strIndent & " | " & objWMIProperty.Name, _ 77: "&h" & Hex (objWMIProperty.Value), _ 78: Null 79: End If 80: Case "ACEFLAGS" 81: If boolDecipher Then 82: DisplayFormattedProperty objWMIInstance, _ 83: strIndent & "| " & objWMIProperty.Name, _ 84: DecipherACEFlags (intSDType, objWMIProperty.Value), _ 85: Null 86: Else 87: DisplayFormattedProperty objWMIInstance, _ 88: strIndent & "| " & objWMIProperty.Name, _ 89: "&h" & Hex (objWMIProperty.Value), _ 90: Null 91: End If 92: Case "ACETYPE" 93: If boolDecipher Then 94: DisplayFormattedProperty objWMIInstance, _ 95: strIndent & "| " & objWMIProperty.Name, _ 96: DecipherACEType (intSDType, objWMIProperty.Value), _ 97: Null 98: Else 99: DisplayFormattedProperty objWMIInstance, _ 100: strIndent & "| " & objWMIProperty.Name, _ 101: "&h" & Hex (objWMIProperty.Value), _ 102: Null 103: End If 104:' Win32_Trustee ------------------------------------------------------------------------------- 105: Case "SID" 106: DisplayFormattedProperty objWMIInstance, _ 107: strIndent & "| " & objWMIProperty.Name, _ 108: ConvertArrayInString (objWMIProperty.Value, ",", False), _ 109: Null 110:' Default ------------------------------------------------------------------------------------- 111: Case Else 112: DisplayFormattedProperty objWMIInstance, _ 113: strIndent & "| " & objWMIProperty.Name, _ 114: objWMIProperty.Name, _ 115: Null 116: End Select 117: End If 118: End If 119: Next 120: 121: WScript.Echo strIndent & "+-" & _ 122: String (90 - Len (strIndent) + 2, "-") ...: 126:End Function
|
Sample 4.28 starts by enumerating all properties of the Win32_SecurityDescriptor (lines 24 through 119). Then the code checks for a value in the first property retrieved from the collection (line 25). If there is a value, the property type is examined, and, if the property contains an object instance (line 26), the script code verifies whether this property is an array (line 27). Since we know the WMI representation of a security descriptor, when the code discovers an array of objects, we know that we are dealing with one or more Win32_ACE instances, since it is the only property containing objects in an array (lines 29 through 39). If this is not an array (lines 42 through 50), then, based on our knowledge of the WMI security descriptor representation, we know that it's a Win32_Trustee instance. In both cases, because we deal with an instance, the DecipherWMISecurityDescriptor() function is recursively called (lines 35 through 38 or lines 47 through 50).
In case the property is not an object instance, the code displays its corresponding values (lines 53 through 116). Because the Win32_SecurityDescriptor instance with the various Win32_Trustee and Win32_ACE instances do not have properties using the same name, we can use the Select Case statement to convert and display the property accordingly. For instance, the ControlFlags property can be displayed without any bit flag interpretation (lines 62 through 65). If the /Decipher+ switch is specified on the command line, its value can be deciphered (lines 57 through 60). The same logic applies for the AccessMask, the AceFlags, and the AceType properties (lines 68, 80, and 92). If the SID property must be displayed (line 105), since it contains a binary array, it is first converted to a comma-delimited string with the ConvertArrayInString() function, and then it is displayed (lines 112 through 115). Any other property is displayed by the default selection of the Select Case statement (lines 111 through 116).
As an end result, the next command line will display the security descriptor, as follows:
1: C:\>WMIManageSD.Wsf /FileSystem:C:\MyDirectory 2: Microsoft (R) Windows Script Host Version 5.6 3: Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. 4: 5: Reading File or Folder security descriptor via WMI from 'C:\MyDirectory' 6: 7: +- Win32_SecurityDescriptor ---------------------------------------------------------------- 8: | ControlFlags: .......................... &hB814 9: | DACL: .................................. (Win32_ACE) 10: | +- Win32_ACE ----------------------------------------------------------------------------- 11: | | AccessMask: .......................... &h1F01FF 12: | | AceFlags: ............................ &h3 13: | | AceType: ............................. &h0 14: | | Trustee: ............................. (Win32_Trustee) 15: | | +- Win32_Trustee ----------------------------------------------------------------------- 16: | | | Domain: ............................ BUILTIN 17: | | | Name: .............................. Administrators 18: | | | SID: ............................... 1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0 19: | | | SidLength: ......................... 16 20: | | | SIDString: ......................... S-1-5-32-544 21: | | +--------------------------------------------------------------------------------------- 22: | +----------------------------------------------------------------------------------------- 23: | +- Win32_ACE ----------------------------------------------------------------------------- 24: | | AccessMask: .......................... &h1200A9 25: | | AceFlags: ............................ &h2 26: | | AceType: ............................. &h0 27: | | Trustee: ............................. (Win32_Trustee) 28: | | +- Win32_Trustee ----------------------------------------------------------------------- 29: | | | Domain: ............................ LISSWARENET 30: | | | Name: .............................. MyGroup 31: | | | SID: ............................... 1,5,0,0,0,...,246,207,122,236,255,136,223,4,0,0 32: | | | SidLength: ......................... 28 33: | | | SIDString: ......................... S-1-5-21-3533506287-3489020660-2298473594-1247 34: | | +--------------------------------------------------------------------------------------- 35: | +----------------------------------------------------------------------------------------- 36: | Owner: ................................. (Win32_Trustee) 37: | +- Win32_Trustee ------------------------------------------------------------------------- 38: | | Domain: .............................. BUILTIN 39: | | Name: ................................ Administrators 40: | | SID: ................................. 1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0 41: | | SidLength: ........................... 16 42: | | SIDString: ........................... S-1-5-32-544 43: | +----------------------------------------------------------------------------------------- 44: | SACL: .................................. (Win32_ACE) 45: | +- Win32_ACE ----------------------------------------------------------------------------- 46: | | AccessMask: .......................... &h10000 47: | | AceFlags: ............................ &h43 48: | | AceType: ............................. &h2 49: | | Trustee: ............................. (Win32_Trustee) 50: | | +- Win32_Trustee ----------------------------------------------------------------------- 51: | | | Domain: ............................ BUILTIN 52: | | | Name: .............................. Administrators 53: | | | SID: ............................... 1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0 54: | | | SidLength: ......................... 16 55: | | | SIDString: ......................... S-1-5-32-544 56: | | +--------------------------------------------------------------------------------------- 57: | +----------------------------------------------------------------------------------------- 58: +-------------------------------------------------------------------------------------------
As we can see, the script also takes care of the WMI security descriptor display, since it encloses the various components between dashed lines to obtain a pseudographical representation.
4.10.2 Deciphering the ADSI security descriptor representation
To decipher an ADSI security descriptor representation, things are easier, since no recursive algorithm is used. Sample 4.29 implements the logic. Compared with Sample 4.28 ("Deciphering a WMI security descriptor representation"), the coding technique is more literal. For each ADSI COM object used to represent the security descriptor components, and for each of their properties, the code displays the corresponding value one by one. Essentially, Sample 4.29 makes use of the DisplayFormattedSTDProperty() function to format the output. This function has the exact same role as the DisplayFormattedProperty() function developed in Chapter 1 (Sample 1.6), but the DisplayFormattedSTDProperty() function is not related to a particular object model. It is a generic function to display information in the same way as the DisplayFormattedProperty() function (which is WMI related).
Sample 4.29: Deciphering an ADSI security descriptor representation
|
.: .: .: 8:' ---------------------------------------------------------------------------------------- 9:Function DecipherADSISecurityDescriptor (objSD, intSDType, boolDecipher) ..: 19: WScript.Echo strIndent & "+- ADSI Security Descriptor " & _ 20: String (66 - Len (strIndent), "-") 21: 22: ' Open Security Descriptor data ----------------------------------------------------------- 23: DisplayFormattedSTDProperty strIndent & "| Owner", objSD.Owner, Null 24: DisplayFormattedSTDProperty strIndent & "| Group", objSD.Group, Null 25: DisplayFormattedSTDProperty strIndent & "| Revision", objSD.Revision, Null 26: If boolDecipher Then 27: DisplayFormattedSTDProperty strIndent & "| Control", _ 28: DecipherSDControlFlags (objSD.Control), _ 29: Null 30: Else 31: DisplayFormattedSTDProperty strIndent & "| Control", _ 32: "&h" & Hex(objSD.Control), Null 33: End If 34: 35: intACECount = 0 36: Set objACL = objSD.DiscretionaryAcl 37: intACECount = objACL.AceCount 38: If intACECount And Err.Number = 0 Then 39: ' Open Discretionary ACL data ---------------------------------------------------------- 40: strIndent = strIndent & "|" 41: WScript.Echo strIndent & "+- ADSI DiscretionaryAcl " & _ 42: String (69 - Len (strIndent), "-") 43: 44: strIndent = strIndent & "|" 45: 46: For Each objACE In objACL 47: ' Open ACE Data -------------------------------------------------------------------- 48: WScript.Echo strIndent & "+- ADSI ACE " & _ 49: String (82 - Len (strIndent), "-") 50: 51: If boolDecipher Then 52: DisplayFormattedSTDProperty strIndent & "| AccessMask", _ 53: DecipherACEMask (intSDType, objACE.AccessMask), _ 54: Null 55: Else 56: DisplayFormattedSTDProperty strIndent & "| AccessMask", _ 57: "&h" & Hex(objACE.AccessMask), Null 58: End If 59: 60: If boolDecipher Then 61: DisplayFormattedSTDProperty strIndent & "| AceFlags", _ 62: DecipherACEFlags (intSDType, objACE.AceFlags), _ 63: Null 64: Else 65: DisplayFormattedSTDProperty strIndent & "| AceFlags", _ 66: "&h" & Hex(objACE.AceFlags), Null 67: End If 68: 69: If boolDecipher Then 70: DisplayFormattedSTDProperty strIndent & "| AceType", _ 71: DecipherACEType (intSDType, objACE.AceType), _ 72: Null 73: Else 74: DisplayFormattedSTDProperty strIndent & "| AceType", _ 75: "&h" & Hex(objACE.AceType), Null 76: End If 77: 78: If boolDecipher Then 79: DisplayFormattedSTDProperty strIndent & "| AceFlagType", _ 80: DecipherACEFlagType (intSDType, objACE.Flags), _ 81: Null 82: Else 83: DisplayFormattedSTDProperty strIndent & "| AceFlagType", _ 84: "&h" & Hex(objACE.Flags), Null 85: End If 86: 87: DisplayFormattedSTDProperty strIndent & "| ObjectType", _ 88: objACE.ObjectType, Null 89: DisplayFormattedSTDProperty strIndent & "| InheritedObjectType", _ 90: objACE.InheritedObjectType, Null 91: DisplayFormattedSTDProperty strIndent & "| Trustee", _ 92: objACE.Trustee, Null 93: 94: ' Close ACE Data ------------------------------------------------------------------- 95: WScript.Echo strIndent & "+-" & _ 96: String (90 - Len (strIndent) + 2, "-") 97: Next 98: 99: strIndent = Mid (strIndent, 1, Len (strIndent) - 1) 100: 101: ' Close Discretionary ACL data --------------------------------------------------------- 102: WScript.Echo strIndent & "+-" & _ 103: String (90 - Len (strIndent) + 2, "-") 104: strIndent = Mid (strIndent, 1, Len (strIndent) - 1) 105: Else 106: Err.Clear 107: End If 108: 109: intACECount = 0 110: Set objACL = objSD.SystemACL 111: intACECount = objACL.AceCount 112: If intACECount And Err.Number = 0 Then 113: ' Open System ACL data ----------------------------------------------------------------- 114: strIndent = strIndent & "|" 115: WScript.Echo strIndent & "+- ADSI SystemAcl " & _ 116: String (76 - Len (strIndent), "-") 117: 118: strIndent = strIndent & "|" 119: 120: For Each objACE In objACL ...: 162: Next 163: 164: strIndent = Mid (strIndent, 1, Len (strIndent) - 1) 165: 166: ' Close System ACL data ---------------------------------------------------------------- 167: WScript.Echo strIndent & "+-" & _ 168: String (90 - Len (strIndent) + 2, "-") 169: strIndent = Mid (strIndent, 1, Len (strIndent) - 1) 170: Else 171: Err.Clear 172: End If 173: 174: ' Close Security Descriptor data ---------------------------------------------------------- 175: WScript.Echo strIndent & "+-" & _ 176: String (90 - Len (strIndent) + 2, "-") 177: 178:End Function
|
Sample 4.29 starts to display the properties of the SecurityDescriptor object (lines 23 through 33). Next, it continues with the AccessControlEntry object collection stored in the Discretionary ACL (lines 35 through 44). The code displays each property of the ACE in the DACL in a loop (lines 46 through 97). Then, it repeats the exact same logic applied to the ACE in the SACL (lines 109 through 172).
The end result with an ADSI representation is almost the same as the WMI representation. The difference resides in the SACL representation. The following sample output is a Folder security descriptor accessed under Windows 2000 with the ADsSecurity.DLL. As we have seen before, the ADsSecurity.DLL ActiveX component doesn't support the SACL access. Therefore, it is not displayed. The output obtained is as follows:
1: C:\>WMIManageSD.Wsf /FileSystem:C:\MyDirectory /ADSI+ 2: Microsoft (R) Windows Script Host Version 5.6 3: Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. 4: 5: Reading File or Folder security descriptor via ADSI from 'C:\MyDirectory'. 6: 7: +- ADSI Security Descriptor ---------------------------------------------------------------- 8: | Owner: ................................. BUILTIN\Administrators 9: | Group: ................................. LISSWARENET\Domain Users 10: | Revision: .............................. 1 11: | Control: ............................... &h9004 12: |+- ADSI DiscretionaryAcl ------------------------------------------------------------------ 13: ||+- ADSI ACE ------------------------------------------------------------------------------ 14: ||| AccessMask: .......................... &h1F01FF 15: ||| AceFlags: ............................ &h3 16: ||| AceType: ............................. &h0 17: ||| AceFlagType: ......................... &h0 18: ||| Trustee: ............................. BUILTIN\Administrators 19: ||+----------------------------------------------------------------------------------------- 20: ||+- ADSI ACE ------------------------------------------------------------------------------ 21: ||| AccessMask: .......................... &h1200A9 22: ||| AceFlags: ............................ &h2 23: ||| AceType: ............................. &h0 24: ||| AceFlagType: ......................... &h0 25: ||| Trustee: ............................. LISSWARENET\MyGroup 26: ||+----------------------------------------------------------------------------------------- 27: |+------------------------------------------------------------------------------------------ 28: +-------------------------------------------------------------------------------------------
EAN: 2147483647
Pages: 82