1 /******************************************************************************
2 * Security Manager Types *
3 ******************************************************************************/
5 #define SE_UNSOLICITED_INPUT_PRIVILEGE 6
7 typedef enum _WELL_KNOWN_SID_TYPE
{
11 WinCreatorOwnerSid
= 3,
12 WinCreatorGroupSid
= 4,
13 WinCreatorOwnerServerSid
= 5,
14 WinCreatorGroupServerSid
= 6,
15 WinNtAuthoritySid
= 7,
19 WinInteractiveSid
= 11,
23 WinEnterpriseControllersSid
= 15,
25 WinAuthenticatedUserSid
= 17,
26 WinRestrictedCodeSid
= 18,
27 WinTerminalServerSid
= 19,
28 WinRemoteLogonIdSid
= 20,
30 WinLocalSystemSid
= 22,
31 WinLocalServiceSid
= 23,
32 WinNetworkServiceSid
= 24,
33 WinBuiltinDomainSid
= 25,
34 WinBuiltinAdministratorsSid
= 26,
35 WinBuiltinUsersSid
= 27,
36 WinBuiltinGuestsSid
= 28,
37 WinBuiltinPowerUsersSid
= 29,
38 WinBuiltinAccountOperatorsSid
= 30,
39 WinBuiltinSystemOperatorsSid
= 31,
40 WinBuiltinPrintOperatorsSid
= 32,
41 WinBuiltinBackupOperatorsSid
= 33,
42 WinBuiltinReplicatorSid
= 34,
43 WinBuiltinPreWindows2000CompatibleAccessSid
= 35,
44 WinBuiltinRemoteDesktopUsersSid
= 36,
45 WinBuiltinNetworkConfigurationOperatorsSid
= 37,
46 WinAccountAdministratorSid
= 38,
47 WinAccountGuestSid
= 39,
48 WinAccountKrbtgtSid
= 40,
49 WinAccountDomainAdminsSid
= 41,
50 WinAccountDomainUsersSid
= 42,
51 WinAccountDomainGuestsSid
= 43,
52 WinAccountComputersSid
= 44,
53 WinAccountControllersSid
= 45,
54 WinAccountCertAdminsSid
= 46,
55 WinAccountSchemaAdminsSid
= 47,
56 WinAccountEnterpriseAdminsSid
= 48,
57 WinAccountPolicyAdminsSid
= 49,
58 WinAccountRasAndIasServersSid
= 50,
59 WinNTLMAuthenticationSid
= 51,
60 WinDigestAuthenticationSid
= 52,
61 WinSChannelAuthenticationSid
= 53,
62 WinThisOrganizationSid
= 54,
63 WinOtherOrganizationSid
= 55,
64 WinBuiltinIncomingForestTrustBuildersSid
= 56,
65 WinBuiltinPerfMonitoringUsersSid
= 57,
66 WinBuiltinPerfLoggingUsersSid
= 58,
67 WinBuiltinAuthorizationAccessSid
= 59,
68 WinBuiltinTerminalServerLicenseServersSid
= 60,
69 WinBuiltinDCOMUsersSid
= 61,
70 WinBuiltinIUsersSid
= 62,
72 WinBuiltinCryptoOperatorsSid
= 64,
73 WinUntrustedLabelSid
= 65,
75 WinMediumLabelSid
= 67,
77 WinSystemLabelSid
= 69,
78 WinWriteRestrictedCodeSid
= 70,
79 WinCreatorOwnerRightsSid
= 71,
80 WinCacheablePrincipalsGroupSid
= 72,
81 WinNonCacheablePrincipalsGroupSid
= 73,
82 WinEnterpriseReadonlyControllersSid
= 74,
83 WinAccountReadonlyControllersSid
= 75,
84 WinBuiltinEventLogReadersGroup
= 76,
85 WinNewEnterpriseReadonlyControllersSid
= 77,
86 WinBuiltinCertSvcDComAccessGroup
= 78,
87 WinMediumPlusLabelSid
= 79,
88 WinLocalLogonSid
= 80,
89 WinConsoleLogonSid
= 81,
90 WinThisOrganizationCertificateSid
= 82,
91 } WELL_KNOWN_SID_TYPE
;
96 typedef PVOID PSECURITY_DESCRIPTOR
;
97 typedef ULONG SECURITY_INFORMATION
, *PSECURITY_INFORMATION
;
98 typedef ULONG ACCESS_MASK
, *PACCESS_MASK
;
99 typedef PVOID PACCESS_TOKEN
;
102 #define DELETE 0x00010000L
103 #define READ_CONTROL 0x00020000L
104 #define WRITE_DAC 0x00040000L
105 #define WRITE_OWNER 0x00080000L
106 #define SYNCHRONIZE 0x00100000L
107 #define STANDARD_RIGHTS_REQUIRED 0x000F0000L
108 #define STANDARD_RIGHTS_READ READ_CONTROL
109 #define STANDARD_RIGHTS_WRITE READ_CONTROL
110 #define STANDARD_RIGHTS_EXECUTE READ_CONTROL
111 #define STANDARD_RIGHTS_ALL 0x001F0000L
112 #define SPECIFIC_RIGHTS_ALL 0x0000FFFFL
113 #define ACCESS_SYSTEM_SECURITY 0x01000000L
114 #define MAXIMUM_ALLOWED 0x02000000L
115 #define GENERIC_READ 0x80000000L
116 #define GENERIC_WRITE 0x40000000L
117 #define GENERIC_EXECUTE 0x20000000L
118 #define GENERIC_ALL 0x10000000L
120 typedef struct _GENERIC_MAPPING
{
121 ACCESS_MASK GenericRead
;
122 ACCESS_MASK GenericWrite
;
123 ACCESS_MASK GenericExecute
;
124 ACCESS_MASK GenericAll
;
125 } GENERIC_MAPPING
, *PGENERIC_MAPPING
;
127 #define ACL_REVISION 2
128 #define ACL_REVISION_DS 4
130 #define ACL_REVISION1 1
131 #define ACL_REVISION2 2
132 #define ACL_REVISION3 3
133 #define ACL_REVISION4 4
134 #define MIN_ACL_REVISION ACL_REVISION2
135 #define MAX_ACL_REVISION ACL_REVISION4
137 typedef struct _ACL
{
145 /* Current security descriptor revision value */
146 #define SECURITY_DESCRIPTOR_REVISION (1)
147 #define SECURITY_DESCRIPTOR_REVISION1 (1)
149 /* Privilege attributes */
150 #define SE_PRIVILEGE_ENABLED_BY_DEFAULT (0x00000001L)
151 #define SE_PRIVILEGE_ENABLED (0x00000002L)
152 #define SE_PRIVILEGE_REMOVED (0X00000004L)
153 #define SE_PRIVILEGE_USED_FOR_ACCESS (0x80000000L)
155 #define SE_PRIVILEGE_VALID_ATTRIBUTES (SE_PRIVILEGE_ENABLED_BY_DEFAULT | \
156 SE_PRIVILEGE_ENABLED | \
157 SE_PRIVILEGE_REMOVED | \
158 SE_PRIVILEGE_USED_FOR_ACCESS)
160 #include <pshpack4.h>
161 typedef struct _LUID_AND_ATTRIBUTES
{
164 } LUID_AND_ATTRIBUTES
, *PLUID_AND_ATTRIBUTES
;
167 typedef LUID_AND_ATTRIBUTES LUID_AND_ATTRIBUTES_ARRAY
[ANYSIZE_ARRAY
];
168 typedef LUID_AND_ATTRIBUTES_ARRAY
*PLUID_AND_ATTRIBUTES_ARRAY
;
171 #define PRIVILEGE_SET_ALL_NECESSARY (1)
173 typedef struct _PRIVILEGE_SET
{
174 ULONG PrivilegeCount
;
176 LUID_AND_ATTRIBUTES Privilege
[ANYSIZE_ARRAY
];
177 } PRIVILEGE_SET
,*PPRIVILEGE_SET
;
179 typedef enum _SECURITY_IMPERSONATION_LEVEL
{
181 SecurityIdentification
,
182 SecurityImpersonation
,
184 } SECURITY_IMPERSONATION_LEVEL
, * PSECURITY_IMPERSONATION_LEVEL
;
186 #define SECURITY_MAX_IMPERSONATION_LEVEL SecurityDelegation
187 #define SECURITY_MIN_IMPERSONATION_LEVEL SecurityAnonymous
188 #define DEFAULT_IMPERSONATION_LEVEL SecurityImpersonation
189 #define VALID_IMPERSONATION_LEVEL(Level) (((Level) >= SECURITY_MIN_IMPERSONATION_LEVEL) && ((Level) <= SECURITY_MAX_IMPERSONATION_LEVEL))
191 #define SECURITY_DYNAMIC_TRACKING (TRUE)
192 #define SECURITY_STATIC_TRACKING (FALSE)
194 typedef BOOLEAN SECURITY_CONTEXT_TRACKING_MODE
, *PSECURITY_CONTEXT_TRACKING_MODE
;
196 typedef struct _SECURITY_QUALITY_OF_SERVICE
{
198 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
;
199 SECURITY_CONTEXT_TRACKING_MODE ContextTrackingMode
;
200 BOOLEAN EffectiveOnly
;
201 } SECURITY_QUALITY_OF_SERVICE
, *PSECURITY_QUALITY_OF_SERVICE
;
203 typedef struct _SE_IMPERSONATION_STATE
{
206 BOOLEAN EffectiveOnly
;
207 SECURITY_IMPERSONATION_LEVEL Level
;
208 } SE_IMPERSONATION_STATE
, *PSE_IMPERSONATION_STATE
;
210 #define OWNER_SECURITY_INFORMATION (0x00000001L)
211 #define GROUP_SECURITY_INFORMATION (0x00000002L)
212 #define DACL_SECURITY_INFORMATION (0x00000004L)
213 #define SACL_SECURITY_INFORMATION (0x00000008L)
214 #define LABEL_SECURITY_INFORMATION (0x00000010L)
216 #define PROTECTED_DACL_SECURITY_INFORMATION (0x80000000L)
217 #define PROTECTED_SACL_SECURITY_INFORMATION (0x40000000L)
218 #define UNPROTECTED_DACL_SECURITY_INFORMATION (0x20000000L)
219 #define UNPROTECTED_SACL_SECURITY_INFORMATION (0x10000000L)
221 typedef enum _SECURITY_OPERATION_CODE
{
222 SetSecurityDescriptor
,
223 QuerySecurityDescriptor
,
224 DeleteSecurityDescriptor
,
225 AssignSecurityDescriptor
226 } SECURITY_OPERATION_CODE
, *PSECURITY_OPERATION_CODE
;
228 #define INITIAL_PRIVILEGE_COUNT 3
230 typedef struct _INITIAL_PRIVILEGE_SET
{
231 ULONG PrivilegeCount
;
233 LUID_AND_ATTRIBUTES Privilege
[INITIAL_PRIVILEGE_COUNT
];
234 } INITIAL_PRIVILEGE_SET
, * PINITIAL_PRIVILEGE_SET
;
236 #define SE_MIN_WELL_KNOWN_PRIVILEGE 2
237 #define SE_CREATE_TOKEN_PRIVILEGE 2
238 #define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE 3
239 #define SE_LOCK_MEMORY_PRIVILEGE 4
240 #define SE_INCREASE_QUOTA_PRIVILEGE 5
241 #define SE_MACHINE_ACCOUNT_PRIVILEGE 6
242 #define SE_TCB_PRIVILEGE 7
243 #define SE_SECURITY_PRIVILEGE 8
244 #define SE_TAKE_OWNERSHIP_PRIVILEGE 9
245 #define SE_LOAD_DRIVER_PRIVILEGE 10
246 #define SE_SYSTEM_PROFILE_PRIVILEGE 11
247 #define SE_SYSTEMTIME_PRIVILEGE 12
248 #define SE_PROF_SINGLE_PROCESS_PRIVILEGE 13
249 #define SE_INC_BASE_PRIORITY_PRIVILEGE 14
250 #define SE_CREATE_PAGEFILE_PRIVILEGE 15
251 #define SE_CREATE_PERMANENT_PRIVILEGE 16
252 #define SE_BACKUP_PRIVILEGE 17
253 #define SE_RESTORE_PRIVILEGE 18
254 #define SE_SHUTDOWN_PRIVILEGE 19
255 #define SE_DEBUG_PRIVILEGE 20
256 #define SE_AUDIT_PRIVILEGE 21
257 #define SE_SYSTEM_ENVIRONMENT_PRIVILEGE 22
258 #define SE_CHANGE_NOTIFY_PRIVILEGE 23
259 #define SE_REMOTE_SHUTDOWN_PRIVILEGE 24
260 #define SE_UNDOCK_PRIVILEGE 25
261 #define SE_SYNC_AGENT_PRIVILEGE 26
262 #define SE_ENABLE_DELEGATION_PRIVILEGE 27
263 #define SE_MANAGE_VOLUME_PRIVILEGE 28
264 #define SE_IMPERSONATE_PRIVILEGE 29
265 #define SE_CREATE_GLOBAL_PRIVILEGE 30
266 #define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE 31
267 #define SE_RELABEL_PRIVILEGE 32
268 #define SE_INC_WORKING_SET_PRIVILEGE 33
269 #define SE_TIME_ZONE_PRIVILEGE 34
270 #define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE 35
271 #define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_SYMBOLIC_LINK_PRIVILEGE
273 typedef struct _SECURITY_SUBJECT_CONTEXT
{
274 PACCESS_TOKEN ClientToken
;
275 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
;
276 PACCESS_TOKEN PrimaryToken
;
277 PVOID ProcessAuditId
;
278 } SECURITY_SUBJECT_CONTEXT
, *PSECURITY_SUBJECT_CONTEXT
;
280 typedef struct _ACCESS_STATE
{
282 BOOLEAN SecurityEvaluated
;
283 BOOLEAN GenerateAudit
;
284 BOOLEAN GenerateOnClose
;
285 BOOLEAN PrivilegesAllocated
;
287 ACCESS_MASK RemainingDesiredAccess
;
288 ACCESS_MASK PreviouslyGrantedAccess
;
289 ACCESS_MASK OriginalDesiredAccess
;
290 SECURITY_SUBJECT_CONTEXT SubjectSecurityContext
;
291 PSECURITY_DESCRIPTOR SecurityDescriptor
;
294 INITIAL_PRIVILEGE_SET InitialPrivilegeSet
;
295 PRIVILEGE_SET PrivilegeSet
;
297 BOOLEAN AuditPrivileges
;
298 UNICODE_STRING ObjectName
;
299 UNICODE_STRING ObjectTypeName
;
300 } ACCESS_STATE
, *PACCESS_STATE
;
303 (NTAPI
*PNTFS_DEREF_EXPORTED_SECURITY_DESCRIPTOR
)(
305 IN PSECURITY_DESCRIPTOR SecurityDescriptor
);
309 #ifndef _NTLSA_AUDIT_
310 #define _NTLSA_AUDIT_
312 #define SE_MAX_AUDIT_PARAMETERS 32
313 #define SE_MAX_GENERIC_AUDIT_PARAMETERS 28
315 #define SE_ADT_OBJECT_ONLY 0x1
317 #define SE_ADT_PARAMETERS_SELF_RELATIVE 0x00000001
318 #define SE_ADT_PARAMETERS_SEND_TO_LSA 0x00000002
319 #define SE_ADT_PARAMETER_EXTENSIBLE_AUDIT 0x00000004
320 #define SE_ADT_PARAMETER_GENERIC_AUDIT 0x00000008
321 #define SE_ADT_PARAMETER_WRITE_SYNCHRONOUS 0x00000010
323 #define LSAP_SE_ADT_PARAMETER_ARRAY_TRUE_SIZE(Parameters) \
324 ( sizeof(SE_ADT_PARAMETER_ARRAY) - sizeof(SE_ADT_PARAMETER_ARRAY_ENTRY) * \
325 (SE_MAX_AUDIT_PARAMETERS - Parameters->ParameterCount) )
327 typedef enum _SE_ADT_PARAMETER_TYPE
{
328 SeAdtParmTypeNone
= 0,
330 SeAdtParmTypeFileSpec
,
333 SeAdtParmTypeLogonId
,
334 SeAdtParmTypeNoLogonId
,
335 SeAdtParmTypeAccessMask
,
337 SeAdtParmTypeObjectTypes
,
338 SeAdtParmTypeHexUlong
,
343 SeAdtParmTypeHexInt64
,
344 SeAdtParmTypeStringList
,
345 SeAdtParmTypeSidList
,
346 SeAdtParmTypeDuration
,
347 SeAdtParmTypeUserAccountControl
,
349 SeAdtParmTypeMessage
,
350 SeAdtParmTypeDateTime
,
351 SeAdtParmTypeSockAddr
,
353 SeAdtParmTypeLogonHours
,
354 SeAdtParmTypeLogonIdNoSid
,
355 SeAdtParmTypeUlongNoConv
,
356 SeAdtParmTypeSockAddrNoPort
,
357 SeAdtParmTypeAccessReason
358 } SE_ADT_PARAMETER_TYPE
, *PSE_ADT_PARAMETER_TYPE
;
360 typedef struct _SE_ADT_OBJECT_TYPE
{
364 ACCESS_MASK AccessMask
;
365 } SE_ADT_OBJECT_TYPE
, *PSE_ADT_OBJECT_TYPE
;
367 typedef struct _SE_ADT_PARAMETER_ARRAY_ENTRY
{
368 SE_ADT_PARAMETER_TYPE Type
;
372 } SE_ADT_PARAMETER_ARRAY_ENTRY
, *PSE_ADT_PARAMETER_ARRAY_ENTRY
;
374 typedef struct _SE_ADT_ACCESS_REASON
{
375 ACCESS_MASK AccessMask
;
376 ULONG AccessReasons
[32];
377 ULONG ObjectTypeIndex
;
379 PSECURITY_DESCRIPTOR SecurityDescriptor
;
380 } SE_ADT_ACCESS_REASON
, *PSE_ADT_ACCESS_REASON
;
382 typedef struct _SE_ADT_PARAMETER_ARRAY
{
385 ULONG ParameterCount
;
387 USHORT FlatSubCategoryId
;
390 SE_ADT_PARAMETER_ARRAY_ENTRY Parameters
[ SE_MAX_AUDIT_PARAMETERS
];
391 } SE_ADT_PARAMETER_ARRAY
, *PSE_ADT_PARAMETER_ARRAY
;
393 #endif /* !_NTLSA_AUDIT_ */
394 #endif /* !_NTLSA_IFS_ */