|
The Win32 API contains a set of functions that help you perform various security tasks. Each set of functions addresses a specific area, such as a caller access token or an access control list (the SACL or DACL). This section of the chapter provides a quick overview of the most important functions. You can find a complete list of authorization functions at http://msdn.microsoft.com/library/en-us/security/security/authorization_functions.asp.
The user (or caller) access token is a key to a resource. When a user access token appears in the list of access granted tokens for a particular resource, the caller can access that resource. Table 14.1 contains an overview of the most common API functions that you’ll normally use to change the user’s access token. I used features that you commonly need, but can’t access from the .NET Framework, as a criterion. For example, you can’t easily determine whether the system is auditing the actions of a caller without using the GetAuditedPermissionsFromAcl() function.
Note | The entries in the Function Name column in Tables 14.1, 14.2, 14.3 and 14.4 are single function names, even though the name may appear on more than one line. The use of multiple lines helps make the function name fit within the confines of the book. See the example source code in Chapters 14 and 15 for examples of the full function names in use.
|
In general, you can obtain access to user information without using a SID. However, you do need SIDs to perform useful work. For example, certain Windows objects have static SIDs that you can use to access their security settings. (See the list of well-known SIDs at http://msdn.microsoft.com/library/en-us/security/security/well_known_sids.asp.) Active Directory also relies on SIDs for a number of tasks (see the example in the “Working Directly with the Domain Controller” section of Chapter 12 to see how to work with Active Directory using PInvoke). Table 14.2 contains a list of the most common SID-related functions.
Function Name | Description |
---|---|
AllocateAndInitializeSid | Creates and initializes a SID with up to eight subauthorities. |
ConvertSidToStringSid | Converts a SID to a string in human readable format. This format consists of values in the form S-R-I-SA, where S designates the string as a SID, R is the revision level, I is the identifier authority value, and SA is one or more sub-authority values. Note the dashes between SID values are always part of the SID string. |
ConvertStringSidToSid | Converts a specially formatted string into a SID. |
FreeSid | Deallocates the memory used by a SID previously created using the AllocateAndInitializeSid function. |
GetSidIdentifierAuthority | Returns a pointer to a SID_IDENTIFIER_AUTHORITY data structure that contains an array of six bytes that specify the SID’s top-level authority. Predefined authorities include NULL (0), local (1), world (2), creator (3), and Windows NT/Windows 2000 (5). |
InitializeSid | Sets the identifier authority of a SID structure to a known value using a SID_IDENTIFIER_AUTHORITY data structure. Sub-authority values aren’t set using this function. Use the AllocateAndInitializeSid function to initialize a SID completely. |
IsValidSid | Determines the validity of a SID structure’s contents. This function checks the revision number and ensures that the number of sub-authorities doesn’t exceed the maximum value. |
LookupAccountName | Retrieves the SID (and accompanying data) for a specific account. You must supply an account and system name. |
LookupAccountSid | Retrieves the name and machine associated with a given SID. It also returns the name of the SID’s first domain. |
Once Windows determines a caller’s rights, it must match those rights to the access requirements of the system resource. This means working with security descriptors. A security descriptor is a lock on the object or other system resource. The key (access token) fits the lock or it doesn’t. Windows grants or denies access when the key fits the lock. Table 14.3 is an overview of the security descriptor API functions.
Function Name | Description |
---|---|
ConvertSecurityDescriptorToStringSecurityDescriptor | Converts a security descriptor to string format. Flags determine the level of information returned in the string. A complete string contains the owner SID, the group SID, a DACL flag list using coded letters, a SACL flag list using coded letters, and a series of ACE entries. |
ConvertStringSecurityDescriptorToSecurityDescriptor | Converts a specially formatted string into a security descriptor. |
GetNamedSecurityInfo | Returns the security descriptor for the named object provided as input. Flags determine what kind of information to retrieve. |
GetSecurityDescriptorContro | Returns the security descriptor control information and revision number for the security descriptor structure provided as input. |
GetSecurityInfo | Returns the security descriptor for an object that specified using an object handle. Windows 2000 provides flags that determine which security descriptor entries to retrieve. |
Note | The entries in the Function Name column are single function names, even though the name may appear on more than one line. The use of multiple lines helps make the function name fit within the confines of the book. See the example source code in Chapters 14 and 15 for examples of the full function names in use. |
By now, you should have some idea of how to work within the security portion of the Win32 API. The divisions I set up within the tables are artificial; they’re for description purposes to make the functions easier to comprehend and use. In a real world application, you’ll combine elements of all three tables to create a complete security picture.
|