COM . , NT (nonremotable) ( , , ) , , . Windows NT 4.0 COM , . , COM RPC, COM RPC.
COM : (authentication), (access control) (token management). , : , , . , . , . COM , COM, . ; , , - " " NT. COM , .
COM . DCOMCNFG. ( ), COM. ( ) API- . DCOMCNFG.EXE API- . , DCOMCNFG.EXE.
COM RPC (impersonation). , RPC , . (protocol sequences) ( , "ncadg_ip_udp"), DLL. COM. RPC , . , DLL . DLL SSPI (Security Support Provider Interface ), Internet Draft Standard GSSAPI.
. :
enum { RPC_C_AUTHN_NONE = 0, // no authentication package // RPC_C_AUTHN_DCE_PRIVATE = 1, // DCE private key (not used) // DCE ( ) RPC_C_AUTHN_DCE_PUBLIC = 2, // DCE public key (not used) // DCE ( ) RPC_C_AUTHN_DEC_PUBLIC = 4, // Digital Equip, (not used) // ( ) RPC_C_AUTHN_WINNT = 10, // NT Lan Manager // NT RPC_C_AUTHN_GSS_KERBEROS, RPC_C_AUTHN_MQ = 100, // MS Message Queue package // MS Message Queue ( Microsoft) RPC_C_AUTHN_DEFAULT = 0xFFFFFFFFL };
RPC_C_AUTHN_WINNT , (NT LAN (local area network) Manager NTLM). RPC_C_AUTHN_GSS_KERBEROS , Kerberos. Windows NT 4.0 NTLM, SSP . Windows NT 5.0 NTLM Kerberos. .
, . , SSP DLL. , SSP DLL ORPC. , SSP DLL RPC , . SSP DLL , , . DCE RPC ( COM) , :
enum { RPC_C_AUTHN_LEVEL_DEFAULT, // use default level for pkg // , RPC_C_AUTHN_LEVEL_NONE, // authentication // RPC_C_AUTHN_LEVEL_CONNECT, // only authenticate credentials // RPC_C_AUTHN_LEVEL_CALL, // protect message headers // RPC_C_AUTHN_LEVEL_PKT, // protect packet headers // RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, // protect parameter state // RPC_C_AUTHN_LEVEL_PKT_PRIVACY, // encrypt parameter state // };
. RPC_C_AUTHN_LEVEL_NONE , . RPC_C_AUTHN_LEVEL_CONNECT , . , ORPC E_ACCESSDENIED. , , SSP . NTML (challenge) . . , (response). , , , . , " " . NTLMSSP ( ) - , RPC . . ( , ) (pass-through authentication) .
RPC_AUTHN_LEVEL_CONNECT , , . , - RPC- DCE ( ) . RPC_C_AUTHN_LEVEL_CALL. SSP DLL RPC- RPC - ( ). RPC , RPC API RPC_C_AUTHN_LEVEL_PKT. , , RPC_C_AUTHN_LEVEL_CALL, RPC- .
RPC_C_AUTHN_LEVEL_PKT SSP DLL RPC- RPC- . , , RPC RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. SSP DLL , . SSP DLL, , RPC_C_AUTHN_LEVEL_PKT, , .
RPC_C_AUTHN_LEVEL_PKT_INTEGRITY RPC- ( , ). RPC RPC_C_AUTHN_LEVEL_PKT_PRIVACY. SSP DLL . RPC_C_AUTHN_LEVEL_PKT_PRIVACY . RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, SSP DLL, .
API- COM CoInitializeSecurity. , COM, CoInitializeSecurity , . CoInitializeSecurity . , API- . , CoInitializeSecurity RPC, , . , CoInitializeSecurity , ORPC- , . CoInitia1izeSecurity :
HRESULT CoInitializeSecurity( [in] PSECURITY_DESCRIPTOR pSecDesc, // access control // [in] LONG cAuthSvc, // # of sec pkgs (-1 == use defaults) // (-1 == ) [in] SOLE_AUTHENTICATION_SERVICE *rgsAuthSvc, // SSP array // SSP [in] void *pReserved1, // reserved MBZ // , [in] DWORD dwAuthnLevel, // auto, AUTHN_LEVEL // AUTHN_LEVEL [in] DWORD dwImpLevel, // auto. IMP_LEVEL // IMP_LEVEL [in] void *pReserved2, // reserved MBZ // , [in] DWORD dwCapabilities, // misc flags // [in] void *pReserved3 // reserved MBZ // , );
, / . / . .
CoInitializeSecurity, pSecDesc, , . , , (principals) , . . CoInitializeSecurity, cAuthSvc rgsAuthSvc, COM. :
typedef struct tagSOLE_AUTHENTICATION_SERVICE { DWORD dwAuthnSvc; // which authentication package? // ? DWORD dwAuthzSvc; // which authorization service? // ? OLECHAR *pPrincipalName; // server principal name? // ? HRESULT hr; // result of registration // } SOLE_AUTHENTICATION_SERVICE;
Windows NT 4.0 RPC_C_AUTHN_WINNT (NTLM). NTLM (authorization service , ) RPC_C_AUTHZ_NONE, 1. , ( ) , : cAuthSvc, -1, rgsAuthSvc, .
CoInitializeSecurity, dwAuthnLevel, , . , , , . , ORPC- ; . , , API- COM. , COM , , , OXID. COM , , . , , , , . , ORPC- , , . , 2.
CoInitializeSecurity, dwImpLevel . , , (impersonation level), , CoUnmarshalInterface. , . , :
enum { // hide credentials of caller from object // RPC_C_IMP_LEVEL_ANONYMOUS = 1, // allow object to query credentials of caller // RPC_C_IMP_LEVEL_IDENTIFY = 2, // allow use of caller's credentials up to one-hop away // // RPC_C_IMP_LEVEL_IMPERSONATE = 3, // allow use of caller's credentials across multiple hops // // RPC_C_IMP_LEVEL_DELEGATE = 4 };
RPC_C_IMP_LEVEL_ANONYMOUS 3. RPC_C_IMP_LEVEL_IDENTIFY , . RPC_C_IMP_LEVEL_IMPERSONATE , , . , 4. , RPC_C_IMP_LEVEL_DELEGATE , . NTLM, Kerberos.
CoInitializeSecurity, dwCapabilities . , :
typedef enum tagEOLE_AUTHENTICATION_CAPABILITIES { EOAC_NONE = 0 0, EOAC_MUTUAL_AUTH = 0 1, // These are only valid for CoInitializeSecurity // CoInitializeSecurity EOAC_SECURE_REFS = 0 2, EOAC_ACCESS_CONTROL = 0 4, EOAC_APPID = 0 8 } EOLE_AUTHENTICATION_CAPABILITIES;
(EOAC_MUTUAL_AUTH) NTLM . , . (EOAC_MUTUAL_AUTH) , COM , , OR . EOAC_ACCESS_CONTROL EOAC_APPID CoInitializeSecurity .
, CoInitializeSecurity , . , CoInitializeSecurity , CoInitializeEx, " COM" (first interesting COM call). " COM" API- , OXID. CoMarshalInterface CoUnmarshalInterface, API- , . CoRegisterClassObject , CoInitializeSecurity . API- ( , CoCreateInstanceEx) . API- , COM API ( , , COM- ) CoInitializeSecurity. , CoInitializeSecurity , , DLL . CoInitializeSecurity , COM COM.
COM CoInitializeSecurity , . , , AppID . AppID , COM
HKEY_CLASSES_ROOT\AppID
COM , AppID AppID:
[HKCR\AppID\ServerOfTheApes.exe] AppID="{27EE6A4D-DF65-11d0-8C5F-0080C73925BA}"
, COM , .
CoInitializeSecurity , pSecDesc, ( ) NT SECURITY_DESCRIPTOR :
[HKCR\AppID\{27EE6A4D-DF65-11d0-8C5F-0080C73925BA}] AccessPermission=<serialized NT security descriptor>
, COM :
[HKEY_LOCAL_MACHINE\Software\Microsoft\OLE] DefaultAccessPermission=<serialized NT security descriptor>
DCOMCNFG. . , COM (security descriptor), SYSTEM. COM , Win32 API- AccessCheck , .
CoInitializeSecurity (cAuthSvc rgsAuthSvc) -1 , , , . CoInitializeSecurity (dwAuthnLevel dwImpLevel) :
[HKEY_LOCAL_MACHINE\Software\Microsoft\OLE] LegacyAuthenticationLevel = 0x5 LegacyImpersonationLevel = 0x3
RPC_C_AUTHN_LEVEL_PKT_INTEGRITY RPC_C_AUTHN_LEVEL_IMPERSONATE 5 3 . , RPC_C_AUTHN_LEVEL_CONNECT RPC_C_IMP_LEVEL_IDENTIFY. , CoInitializeSecurity, dwCapabilities, EOAC_SECURE_REFS:
[HKEY_LOCAL_MACHINE\Software\Microsoft\OLE] LegacySecureRefs = "Y"
"Y" "y", COM EOAC_SECURE_REFS; EOAC_NONE. DCOMCNFG. .
1 .
2 , / , . , NTML RPC_C_AUTHN_LEVEL_PRIVACY . , NTLM RPC_AUTHN_LEVEL_CONNECT RPC_C_AUTHN_LEVEL_CALL RPC_AUTHN_LEVEL_PKT (datagram transports) ( , UDP). , (connection-oriented transport) ( , TCP), NTLM RPC_ _AUTHN_LEVEL_CALL o RPC_C_AUTHN_LEVEL_PKT.
3 SSP - NTLM Kerberos - , RPC_C_IMP_LEVEL_IDENTIFY, .
4 RPC_C_IMP_LEVEL_IMPERSONATE . .