From 83f3bd8bd646c73ed99d3b6595b2d54e7c5ae543 Mon Sep 17 00:00:00 2001 From: Eric Kohl Date: Sun, 24 Jan 2021 15:28:23 +0100 Subject: [PATCH] [SYSSETUP][INF] Add password setup to the security profile --- dll/win32/syssetup/security.c | 208 ++++++++++++++++++++++++++++++++++ media/inf/defltsv.inf | 9 ++ media/inf/defltwk.inf | 11 +- 3 files changed, 227 insertions(+), 1 deletion(-) diff --git a/dll/win32/syssetup/security.c b/dll/win32/syssetup/security.c index ff2c329dc2e..d92c201831d 100644 --- a/dll/win32/syssetup/security.c +++ b/dll/win32/syssetup/security.c @@ -18,6 +18,8 @@ #define NDEBUG #include +#define TICKS_PER_DAY -864000000000LL + /* FUNCTIONS ****************************************************************/ NTSTATUS @@ -756,6 +758,210 @@ ApplyEventlogSettings( } +static +VOID +ApplyPasswordSettings( + _In_ HINF hSecurityInf, + _In_ PWSTR pszSectionName) +{ + INFCONTEXT InfContext; + DOMAIN_PASSWORD_INFORMATION PasswordInfo; + PPOLICY_ACCOUNT_DOMAIN_INFO OrigInfo = NULL; + LSA_OBJECT_ATTRIBUTES ObjectAttributes; + LSA_HANDLE PolicyHandle = NULL; + SAM_HANDLE ServerHandle = NULL; + SAM_HANDLE DomainHandle = NULL; + INT nValue; + NTSTATUS Status; + + DPRINT("ApplyPasswordSettings()\n"); + + memset(&ObjectAttributes, 0, sizeof(LSA_OBJECT_ATTRIBUTES)); + ObjectAttributes.Length = sizeof(LSA_OBJECT_ATTRIBUTES); + + Status = LsaOpenPolicy(NULL, + &ObjectAttributes, + POLICY_VIEW_LOCAL_INFORMATION | POLICY_TRUST_ADMIN, + &PolicyHandle); + if (Status != STATUS_SUCCESS) + { + DPRINT1("LsaOpenPolicy() failed (Status: 0x%08lx)\n", Status); + return; + } + + Status = LsaQueryInformationPolicy(PolicyHandle, + PolicyAccountDomainInformation, + (PVOID *)&OrigInfo); + if (!NT_SUCCESS(Status)) + { + DPRINT1("LsaQueryInformationPolicy() failed (Status: 0x%08lx)\n", Status); + goto done; + } + + Status = SamConnect(NULL, + &ServerHandle, + SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN, + NULL); + if (!NT_SUCCESS(Status)) + { + DPRINT1("SamConnect() failed (Status: 0x%08lx)\n", Status); + goto done; + } + + Status = SamOpenDomain(ServerHandle, + DOMAIN_READ_PASSWORD_PARAMETERS | DOMAIN_WRITE_PASSWORD_PARAMS, + OrigInfo->DomainSid, + &DomainHandle); + if (!NT_SUCCESS(Status)) + { + DPRINT1("SamOpenDomain() failed (Status: 0x%08lx)\n", Status); + goto done; + } + + Status = SamQueryInformationDomain(DomainHandle, + DomainPasswordInformation, + (PVOID*)&PasswordInfo); + if (!NT_SUCCESS(Status)) + { + DPRINT1("SamQueryInformationDomain() failed (Status %08lx)\n", Status); + goto done; + } + + DPRINT("MaximumPasswordAge (OldValue) : 0x%I64x\n", PasswordInfo.MaxPasswordAge.QuadPart); + if (SetupFindFirstLineW(hSecurityInf, + pszSectionName, + L"MaximumPasswordAge", + &InfContext)) + { + if (SetupGetIntField(&InfContext, 1, &nValue)) + { + DPRINT("Value: %ld\n", nValue); + if (nValue == -1) + { + PasswordInfo.MaxPasswordAge.QuadPart = 0x8000000000000000; + } + else if ((nValue >= 1) && (nValue < 1000)) + { + PasswordInfo.MaxPasswordAge.QuadPart = (LONGLONG)nValue * TICKS_PER_DAY; + } + DPRINT("MaximumPasswordAge (NewValue) : 0x%I64x\n", PasswordInfo.MaxPasswordAge.QuadPart); + } + } + + DPRINT("MinimumPasswordAge (OldValue) : 0x%I64x\n", PasswordInfo.MinPasswordAge.QuadPart); + if (SetupFindFirstLineW(hSecurityInf, + pszSectionName, + L"MinimumPasswordAge", + &InfContext)) + { + if (SetupGetIntField(&InfContext, 1, &nValue)) + { + DPRINT("Wert: %ld\n", nValue); + if ((nValue >= 0) && (nValue < 1000)) + { + if (PasswordInfo.MaxPasswordAge.QuadPart < (LONGLONG)nValue * TICKS_PER_DAY) + PasswordInfo.MinPasswordAge.QuadPart = (LONGLONG)nValue * TICKS_PER_DAY; + } + DPRINT("MinimumPasswordAge (NewValue) : 0x%I64x\n", PasswordInfo.MinPasswordAge.QuadPart); + } + } + + DPRINT("MinimumPasswordLength (OldValue) : %lu\n", PasswordInfo.MinPasswordLength); + if (SetupFindFirstLineW(hSecurityInf, + pszSectionName, + L"MinimumPasswordLength", + &InfContext)) + { + if (SetupGetIntField(&InfContext, 1, &nValue)) + { + DPRINT("Value: %ld\n", nValue); + if ((nValue >= 0) && (nValue <= 65535)) + { + PasswordInfo.MinPasswordLength = nValue; + } + DPRINT("MinimumPasswordLength (NewValue) : %lu\n", PasswordInfo.MinPasswordLength); + } + } + + DPRINT("PasswordHistoryLength (OldValue) : %lu\n", PasswordInfo.PasswordHistoryLength); + if (SetupFindFirstLineW(hSecurityInf, + pszSectionName, + L"PasswordHistorySize", + &InfContext)) + { + if (SetupGetIntField(&InfContext, 1, &nValue)) + { + DPRINT("Value: %ld\n", nValue); + if ((nValue >= 0) && (nValue <= 65535)) + { + PasswordInfo.PasswordHistoryLength = nValue; + } + DPRINT("PasswordHistoryLength (NewValue) : %lu\n", PasswordInfo.PasswordHistoryLength); + } + } + + if (SetupFindFirstLineW(hSecurityInf, + pszSectionName, + L"PasswordComplexity", + &InfContext)) + { + if (SetupGetIntField(&InfContext, 1, &nValue)) + { + if (nValue == 0) + { + PasswordInfo.PasswordProperties &= ~DOMAIN_PASSWORD_COMPLEX; + } + else + { + PasswordInfo.PasswordProperties |= DOMAIN_PASSWORD_COMPLEX; + } + } + } + + if (SetupFindFirstLineW(hSecurityInf, + pszSectionName, + L"ClearTextPassword", + &InfContext)) + { + if (SetupGetIntField(&InfContext, 1, &nValue)) + { + if (nValue == 0) + { + PasswordInfo.PasswordProperties &= ~DOMAIN_PASSWORD_STORE_CLEARTEXT; + } + else + { + PasswordInfo.PasswordProperties |= DOMAIN_PASSWORD_STORE_CLEARTEXT; + } + } + } + + /* Windows ignores the RequireLogonToChangePassword option */ + + Status = SamSetInformationDomain(DomainHandle, + DomainPasswordInformation, + (PVOID*)&PasswordInfo); + if (!NT_SUCCESS(Status)) + { + DPRINT1("SamSetInformationDomain() failed (Status %08lx)\n", Status); + goto done; + } + +done: + if (DomainHandle != NULL) + SamCloseHandle(DomainHandle); + + if (ServerHandle != NULL) + SamCloseHandle(ServerHandle); + + if (OrigInfo != NULL) + LsaFreeMemory(OrigInfo); + + if (PolicyHandle != NULL) + LsaClose(PolicyHandle); +} + + static VOID ApplyAuditEvents( @@ -922,6 +1128,8 @@ InstallSecurity(VOID) ApplyEventlogSettings(hSecurityInf, L"Security Log", L"Security"); ApplyEventlogSettings(hSecurityInf, L"System Log", L"System"); + ApplyPasswordSettings(hSecurityInf, L"System Access"); + ApplyAuditEvents(hSecurityInf); SetupCloseInfFile(hSecurityInf); diff --git a/media/inf/defltsv.inf b/media/inf/defltsv.inf index d64c30d339a..ce3b7d78ba6 100644 --- a/media/inf/defltsv.inf +++ b/media/inf/defltsv.inf @@ -4,6 +4,15 @@ [Version] Signature = "$Windows NT$" +[System Access] +MinimumPasswordAge = 0 +MaximumPasswordAge = 42 +MinimumPasswordLength = 0 +PasswordComplexity = 0 +PasswordHistorySize = 0 +RequireLogonToChangePassword = 0 +ClearTextPassword = 0 + [Application Log] MaximumLogSize = 16384 AuditLogRetentionPeriod = 0 diff --git a/media/inf/defltwk.inf b/media/inf/defltwk.inf index 540edd39416..020b59c4d26 100644 --- a/media/inf/defltwk.inf +++ b/media/inf/defltwk.inf @@ -4,6 +4,15 @@ [Version] Signature = "$Windows NT$" +[System Access] +MinimumPasswordAge = 0 +MaximumPasswordAge = 42 +MinimumPasswordLength = 0 +PasswordComplexity = 0 +PasswordHistorySize = 0 +RequireLogonToChangePassword = 0 +ClearTextPassword = 0 + [Application Log] MaximumLogSize = 512 AuditLogRetentionPeriod = 1 @@ -38,8 +47,8 @@ SeAuditPrivilege = *S-1-5-19, *S-1-5-20 SeBackupPrivilege = *S-1-5-32-544, *S-1-5-32-551 SeBatchLogonRight = SeChangeNotifyPrivilege = *S-1-1-0, *S-1-5-32-544, *S-1-5-32-545, *S-1-5-32-551 -SeCreatePagefilePrivilege = *S-1-5-32-544 SeCreateGlobalPrivilege = *S-1-5-4, *S-1-5-6, *S-1-5-32-544 +SeCreatePagefilePrivilege = *S-1-5-32-544 SeCreatePermanentPrivilege = SeCreateTokenPrivilege = SeDebugPrivilege = *S-1-5-32-544 -- 2.17.1