Solved

Named Pipe Security for Domain Users only...

Posted on 2004-04-29
5
977 Views
Last Modified: 2008-02-01
I am creating a named pipe that I want to allow only domain users to access.  I have posted the code below that I am using.  When I run the application there are no exceptions, everything appears to run normally.  However, when I try to create a client for the named pipe, I always get and ERROR_ACCESS_DENIED Win32 error code.  If I create the security descriptor with a NULL ACL the application works properly.

Hopefully someone can help.

SID_IDENTIFIER_AUTHORITY      SIDDomainAuth = SECURITY_NT_AUTHORITY;            // The domain users authority
int            nSize;                                                // The size of the ACL

// Allocate memory for the security descriptor
m_pSD = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR,SECURITY_DESCRIPTOR_MIN_LENGTH);

// Check for allocation failure
if (m_pSD == NULL)
      ThrowPipeException("Failed to allocate memory for the security descriptor.",false);

// Initialize the security descriptor
if (!InitializeSecurityDescriptor(m_pSD, SECURITY_DESCRIPTOR_REVISION))
      ThrowPipeException("Failed to initialize the security descriptor.");

//      m_pACL = NULL;

// Allocate memory for the ACL
m_pACL = (PACL)LocalAlloc(LPTR,sizeof(ACL));

// Allocate and initialize a domain SID
if (!AllocateAndInitializeSid(&SIDDomainAuth,1,DOMAIN_GROUP_RID_USERS,0,0,0,0,0,0,0,&m_pSIDDomain))
      ThrowPipeException("Failed to allocate a domain user SID.");

// Calculate the size of the ACL
nSize = sizeof(ACL);
nSize += (sizeof(ACCESS_ALLOWED_ACE) - sizeof (DWORD) + GetLengthSid(m_pSIDDomain));

// Initialize the ACL
if (!InitializeAcl(m_pACL,nSize,ACL_REVISION))
      ThrowPipeException("Failed to initialize the ACL.");

// Add the appropriate access for the domain users
if (!AddAccessAllowedAce(m_pACL,ACL_REVISION,FILE_ALL_ACCESS,m_pSIDDomain))
      ThrowPipeException("Failed to grant access to domain users.");

// Check to make sure the ACL is valid
if (!IsValidAcl(m_pACL))
      ThrowPipeException("Invalid ACL.");

// Set the security descriptor's SACL
if (!SetSecurityDescriptorDacl(m_pSD,TRUE,m_pACL,FALSE))
      ThrowPipeException("Failed to set the security descriptor DACL.");

// Check to make sure the security descriptor is valid
if (!IsValidSecurityDescriptor(m_pSD))
      ThrowPipeException("Invalid security descriptor.");

// Initialize the security attributes
m_SA.nLength = sizeof(m_SA);
m_SA.lpSecurityDescriptor = m_pSD;
m_SA.bInheritHandle = FALSE;
0
Comment
Question by:stu_pb
  • 2
5 Comments
 
LVL 86

Expert Comment

by:jkr
ID: 10952692
Shouldn't that be

// Allocate and initialize a domain SID
if (!AllocateAndInitializeSid(&SIDDomainAuth,2,SECURITY_BUILTIN_DOMAIN_RID,DOMAIN_GROUP_RID_USERS,0,0,0,0,0,0,&m_pSIDDomain))

?
0
 
LVL 3

Author Comment

by:stu_pb
ID: 10952803
I gave this a try and still no luck, is this method documented anywhere that I can look?
0
 
LVL 86

Accepted Solution

by:
jkr earned 250 total points
ID: 10952918
Hm, I'd recommend http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/msdn_seccpp.asp ("Windows NT Security in Theory and Practice") and http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/msdn_secguts.asp ("The Guts of Security") in particular as starting points (both come with source code).
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Often, when implementing a feature, you won't know how certain events should be handled at the point where they occur and you'd rather defer to the user of your function or class. For example, a XML parser will extract a tag from the source code, wh…
Basic understanding on "OO- Object Orientation" is needed for designing a logical solution to solve a problem. Basic OOAD is a prerequisite for a coder to ensure that they follow the basic design of OO. This would help developers to understand the b…
The goal of the tutorial is to teach the user how to use functions in C++. The video will cover how to define functions, how to call functions and how to create functions prototypes. Microsoft Visual C++ 2010 Express will be used as a text editor an…
The viewer will be introduced to the technique of using vectors in C++. The video will cover how to define a vector, store values in the vector and retrieve data from the values stored in the vector.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now