}
+static NTSTATUS
+LsapCreatePolicySd(PSECURITY_DESCRIPTOR *PolicySd,
+ PULONG PolicySdSize)
+{
+ SECURITY_DESCRIPTOR AbsoluteSd;
+ PSECURITY_DESCRIPTOR RelativeSd = NULL;
+ ULONG RelativeSdSize = 0;
+ PSID AnonymousSid = NULL;
+ PSID AdministratorsSid = NULL;
+ PSID EveryoneSid = NULL;
+ PSID LocalServiceSid = NULL;
+ PSID NetworkServiceSid = NULL;
+ PSID LocalSystemSid = NULL;
+ PACL Dacl = NULL;
+ ULONG DaclSize;
+ NTSTATUS Status;
+
+ if (PolicySd == NULL || PolicySdSize == NULL)
+ return STATUS_INVALID_PARAMETER;
+
+ *PolicySd = NULL;
+ *PolicySdSize = 0;
+
+ /* Initialize the SD */
+ Status = RtlCreateSecurityDescriptor(&AbsoluteSd,
+ SECURITY_DESCRIPTOR_REVISION);
+ if (!NT_SUCCESS(Status))
+ return Status;
+
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 1,
+ SECURITY_ANONYMOUS_LOGON_RID,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &AnonymousSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 2,
+ SECURITY_BUILTIN_DOMAIN_RID,
+ DOMAIN_ALIAS_RID_ADMINS,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &AdministratorsSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAllocateAndInitializeSid(&WorldSidAuthority,
+ 1,
+ SECURITY_WORLD_RID,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &EveryoneSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 1,
+ SECURITY_LOCAL_SERVICE_RID,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &LocalServiceSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 1,
+ SECURITY_NETWORK_SERVICE_RID,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &NetworkServiceSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 1,
+ SECURITY_LOCAL_SYSTEM_RID,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &LocalSystemSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Allocate and initialize the DACL */
+ DaclSize = sizeof(ACL) +
+ sizeof(ACCESS_DENIED_ACE) - sizeof(ULONG) + RtlLengthSid(AnonymousSid) +
+ sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AdministratorsSid) +
+ sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(EveryoneSid) +
+ sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AnonymousSid) +
+ sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(LocalServiceSid) +
+ sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(NetworkServiceSid);
+
+ Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ DaclSize);
+ if (Dacl == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ goto done;
+ }
+
+ Status = RtlCreateAcl(Dacl,
+ DaclSize,
+ ACL_REVISION);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessDeniedAce(Dacl,
+ ACL_REVISION,
+ POLICY_LOOKUP_NAMES,
+ AnonymousSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ POLICY_ALL_ACCESS | POLICY_NOTIFICATION,
+ AdministratorsSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ POLICY_EXECUTE,
+ EveryoneSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ POLICY_LOOKUP_NAMES | POLICY_VIEW_LOCAL_INFORMATION,
+ AnonymousSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ POLICY_NOTIFICATION,
+ LocalServiceSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ POLICY_NOTIFICATION,
+ NetworkServiceSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlSetDaclSecurityDescriptor(&AbsoluteSd,
+ TRUE,
+ Dacl,
+ FALSE);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlSetGroupSecurityDescriptor(&AbsoluteSd,
+ LocalSystemSid,
+ FALSE);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlSetOwnerSecurityDescriptor(&AbsoluteSd,
+ AdministratorsSid,
+ FALSE);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
+ RelativeSd,
+ &RelativeSdSize);
+ if (Status != STATUS_BUFFER_TOO_SMALL)
+ goto done;
+
+ RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ RelativeSdSize);
+ if (RelativeSd == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ goto done;
+ }
+
+ Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
+ RelativeSd,
+ &RelativeSdSize);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ *PolicySd = RelativeSd;
+ *PolicySdSize = RelativeSdSize;
+
+done:
+ if (Dacl != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
+
+ if (AnonymousSid != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, AnonymousSid);
+
+ if (AdministratorsSid != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid);
+
+ if (EveryoneSid != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid);
+
+ if (LocalServiceSid != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, LocalServiceSid);
+
+ if (NetworkServiceSid != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, NetworkServiceSid);
+
+ if (LocalSystemSid != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid);
+
+ if (!NT_SUCCESS(Status))
+ {
+ if (RelativeSd != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
+ }
+
+ return Status;
+}
+
+
static NTSTATUS
LsapCreateDatabaseObjects(VOID)
{
GUID DnsDomainGuid;
PLSA_DB_OBJECT PolicyObject = NULL;
PSID AccountDomainSid = NULL;
+ PSECURITY_DESCRIPTOR PolicySd = NULL;
+ ULONG PolicySdSize = 0;
ULONG AuditEventsCount;
ULONG AuditEventsSize;
ULONG i;
AuditEventsCount = AuditCategoryAccountLogon - AuditCategorySystem + 1;
AuditEventsSize = sizeof(LSAP_POLICY_AUDIT_EVENTS_DATA) + AuditEventsCount * sizeof(DWORD);
AuditEventsInfo = RtlAllocateHeap(RtlGetProcessHeap(),
- 0,
+ HEAP_ZERO_MEMORY,
AuditEventsSize);
if (AuditEventsInfo == NULL)
return STATUS_INSUFFICIENT_RESOURCES;
if (!NT_SUCCESS(Status))
goto done;
+ Status = LsapCreatePolicySd(&PolicySd,
+ &PolicySdSize);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
/* Open the 'Policy' object */
Status = LsapOpenDbObject(NULL,
NULL,
&DnsDomainGuid,
sizeof(GUID));
+ /* Set the Sceurity Descriptor */
+ LsapSetObjectAttribute(PolicyObject,
+ L"SecDesc",
+ PolicySd,
+ PolicySdSize);
+
done:
if (AuditEventsInfo != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, AuditEventsInfo);
if (AccountDomainSid != NULL)
RtlFreeSid(AccountDomainSid);
+ if (PolicySd != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, PolicySd);
+
return Status;
}