4.8 Creating a default security descriptor

In Sample 4.16 ("Retrieving file system share security descriptors with WMI [Part III]") and Sample 4.17 ("Retrieving file system share security descriptors with ADSI [Part IV]"), we saw that it was necessary to create a default security descriptor by invoking the CreateDefaultSD() function (Sample 4.25). This is necessary because a file system share does not necessarily have a security descriptor defined. Because the file system share has a default behavior when no security descriptor is set, the script provides the exact same default security descriptor as the one supposed to be present. So, when examining a share, this avoids any confusion for situations where no security descriptor is set for a share. Windows Explorer behaves in the same way, since it shows a security descriptor set on the share (Figure 4.17). If a script tries to retrieve the security descriptor, the code will return an error stating that no security descriptor is available. Therefore, Sample 4.25 creates the corresponding security descriptor.

Sample 4.25: Create a default security descriptor for a share

   .:   .:   .:   8:' ---------------------------------------------------------------------------------------------   9:Function CreateDefaultSD (objWMIServices, intSDType)  ..:  18:    Select Case intSDType  ..:  22:           Case cFileViaWMI  ..:  27:           Case cFileViaADSI  ..:  32:' +----------------------------------------------------------------------------------------+  33:' | Share |  34:' +----------------------------------------------------------------------------------------+  35:           Case cShareViaWMI  36:' WMI creation technique -------------------------------------------------------------------  37:  38:                Set objNewSD = objWMIServices.Get("Win32_SecurityDescriptor").SpawnInstance_()  39:                Set objNewACE = objWMIServices.Get("Win32_ACE").SpawnInstance_()  40:                Set objNewTrustee = objWMIServices.Get("Win32_Trustee").SpawnInstance_()  41:  42:                objNewTrustee.Domain = Null  43:                objNewTrustee.Name = "Everyone"  44:                objNewTrustee.SIDString = "S-1-1-0"  45:                objNewTrustee.SID = Array (1,1,0,0,0,0,0,1,0,0,0,0)  46:                objNewTrustee.SidLength = 12  47:  48:                objNewACE.Trustee = objNewTrustee  49:                objNewACE.AceType = ACCESS_ALLOWED_ACE_TYPE  50:                objNewACE.AccessMask = FILE_SHARE_FULL_ACCESS Or _  51:                                       FILE_SHARE_CHANGE_ACCESS Or _  52:                                       FILE_SHARE_READ_ACCESS  53:                objNewACE.AceFlags = 0  54:  55:                objNewSD.DACL = Array (objNewAce)  56:                objNewSD.ControlFlags = SE_SELF_RELATIVE Or SE_DACL_PRESENT  57:  58:                ' Here objNewSD contains a security descriptor in the WMI object model.  59:  60:           Case cShareViaADSI  61:' ADSI creation technique ------------------------------------------------------------------  62:  63:                ' Windows Server 2003 only  64:                Set objNewSD = CreateObject ("SecurityDescriptor")  65:                Set objNewACL = CreateObject ("AccessControlList")  66:                Set objNewACE = CreateObject ("AccessControlEntry")  67:  68:                objNewACE.Trustee = "Everyone"  69:                objNewACE.AceType = ACCESS_ALLOWED_ACE_TYPE  70:                objNewACE.AccessMask = FILE_SHARE_FULL_ACCESS Or _  71:                                       FILE_SHARE_CHANGE_ACCESS Or _  72:                                       FILE_SHARE_READ_ACCESS  73:                objNewACE.AceFlags = 0  74:  75:                objNewACL.AddAce objNewAce  76:  77:                objNewSD.DiscretionaryACL = objNewACL  78:                objNewSD.Revision = 1  79:                objNewSD.Control = SE_SELF_RELATIVE Or SE_DACL_PRESENT  ..:  84:                ' Here objNewSD contains a security descriptor in the ADSI object model.  ..:  94:           Case cActiveDirectoryViaADSI  ..: 102:           Case cExchange2000MailboxViaWMI ...: 107:           Case cExchange2000MailboxViaADSI ...: 112:           Case cExchange2000MailboxViaCDOEXM ...: 120:           Case cRegistryViaWMI ...: 125:           Case cRegistryViaADSI ...: 133:           Case cWMINameSpaceViaWMI ...: 138:           Case cWMINameSpaceViaADSI ...: 145:    End Select 146: 147: Set CreateDefaultSD = objNewSD ...: 151:End Function

click to expand
Figure 4.17: The default share security descriptor.

It is important to note that the file system share is the only situation where a default security descriptor is created if it is missing. This is the reason why Sample 4.25 creates a default security descriptor only for file system share security descriptors accessed with WMI (lines 36 through 58) or ADSI (lines 60 through 84). All other situations expect to find a security descriptor. If there is no security descriptor set with all other manageable entities, then the script will return an error claiming that no security descriptor is available. This situation is shown in Samples 4.14 through 4.24.

As shown in Sample 4.25 (lines 38 through 58), when the security descriptor must be returned in the WMI object model, the scripts uses the SWBemServices object to create three new instances: one instance from the Win32_SecurityDescriptor class (line 38), one from the Win32_ACE class (line 39), and one instance from the Win32_Trustee class (line 40). These three new instances are the required instances to create a new security descriptor in the WMI object model. However, creating these instances is not enough. Each of them must be properly initialized. Sample 4.25 executes this task from line 42 through 58 for the WMI object model. From line 42 through 46, the script creates the trustee for the "Everyone" group. The trustee creation requires the SID of the group. Because the "Everyone" group is a built-in group available from all Windows installations, it can be created immediately with its very well known SID (S-1-1-0) in its string representation (line 44) and in its binary form (line 45).

Next, the script initializes the rights that are necessary to grant full control access to the "Everyone" group (lines 48 through 58). Note that under Windows XP and Windows Server 2003, the default access on a share for the "Everyone" group is read-only (FILE_SHARE_READ_ACCESS flag). These values are defined in the SecurityInclude.vbs included at line 155 in Sample 4.2 ("The WMIManageSD.Wsf framework to manage security descriptors from the command line"). We will see later, in section 4.11.4 ("Deciphering the Access Control Entries"), how to select the values to create some specific rights. Once complete, the CreateDefaultSD() function returns a WMI security descriptor representation of the rights set on a file system share, as shown in Figure 4.17.

When the security descriptor must be returned in the ADSI object model, the script follows the same logic. However, it uses the ADSI object model, which means that it creates the ADSI objects representing an ADSI security descriptor (lines 64 through 66). So, it creates a security descriptor (line 64), an Access Control List (line 65), and an Access Control Entry (line 66). Once created, the script initializes the various values to grant the required right to the "Everyone" group, as shown in Figure 4.17.

An important point to note here is about the values defining the rights. Even if the security descriptor can be represented in the ADSI object model or in the WMI object model, it is interesting to see that the assigned values are always the same. This means that the values used to decipher a security descriptor remain a constant, independent of the object model used. This is an important point to remember when we decipher the security descriptor in section 4.10 ("Deciphering the security descriptor").