windows-nt/Source/XPSP1/NT/ds/netapi/svcdlls/logonsrv/server/nlsecure.c

/*++

Copyright (c) 1991-1996  Microsoft Corporation

Module Name:

    nlsecure.c

Abstract:

    This module contains the Netlogon service support routines
    which create security objects and enforce security _access checking.

Author:

    Cliff Van Dyke (CliffV) 22-Aug-1991

Revision History:

--*/


#include "logonsrv.h"   // Include files common to entire service
#pragma hdrstop


//
// Include nlsecure.h again allocating the actual variables
// this time around.
//

#define NLSECURE_ALLOCATE
#include "nlsecure.h"
#undef NLSECURE_ALLOCATE


NTSTATUS
NlCreateNetlogonObjects(
    VOID
    )
/*++

Routine Description:

    This function creates the workstation user-mode objects which are
    represented by security descriptors.

Arguments:

    None.

Return Value:

    NT status code

--*/
{
    NTSTATUS Status;

    //
    // Order matters!  These ACEs are inserted into the DACL in the
    // following order.  Security access is granted or denied based on
    // the order of the ACEs in the DACL.
    //
    //
    // Members of Group SECURITY_LOCAL aren't allowed to do a UAS logon
    // to force it to be done remotely.
    //

    ACE_DATA AceData[] = {

        {ACCESS_DENIED_ACE_TYPE, 0, 0,
               NETLOGON_UAS_LOGON_ACCESS |
               NETLOGON_UAS_LOGOFF_ACCESS,
                                            &LocalSid},

        {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
               GENERIC_ALL,                 &AliasAdminsSid},

        {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
               NETLOGON_CONTROL_ACCESS,     &AliasAccountOpsSid},

        {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
               NETLOGON_CONTROL_ACCESS,     &AliasSystemOpsSid},

        {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
               NETLOGON_CONTROL_ACCESS |
               NETLOGON_SERVICE_ACCESS,     &LocalSystemSid},

        {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
               NETLOGON_SERVICE_ACCESS,     &LocalServiceSid},

        {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
               NETLOGON_FTINFO_ACCESS,      &AuthenticatedUserSid},

        {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
               NETLOGON_UAS_LOGON_ACCESS |
               NETLOGON_UAS_LOGOFF_ACCESS |
               NETLOGON_QUERY_ACCESS,       &WorldSid}
    };

    //
    // Actually create the security descriptor.
    //

    Status = NetpCreateSecurityObject(
               AceData,
               sizeof(AceData)/sizeof(AceData[0]),
               AliasAdminsSid,
               AliasAdminsSid,
               &NlGlobalNetlogonInfoMapping,
               &NlGlobalNetlogonSecurityDescriptor );

    return Status;

}