dcomcnfg 功能以编程方式 [英] dcomcnfg functionality programmatically
问题描述
我可以找到关于如何为 DCOM 编程的各种内容,但几乎没有关于如何以编程方式设置/检查安全性的内容.
I can find all sorts of stuff on how to program for DCOM, but practically nothing on how to set/check the security programmatically.
我不是要重新创建 dcomcnfg,但如果我知道如何在 C#(首选,或 VB.net)中重现 dcomcnfg 的所有功能,那么我的目标就在眼前.
I'm not trying to recreate dcomcnfg, but if I knew how to reproduce all the functionality of dcomcnfg in C# (preferred, or VB.net) then my goal is in sight.
我似乎无法在这方面找到任何好的资源,没有开源 API,甚至没有关于如何执行每个步骤的快速示例.即使在这里 DCOM 或 dcomcnfg 返回的结果也很少,也没有真正涉及如何设置/验证/列出安全性.
I can't seem to be able to find any good resource on this, no open source API's or even quick examples of how to do each step. Even here DCOM or dcomcnfg returns few results and none really about how to set/verify/list security.
如果有人有一些指向开放 API 的指针或一些示例,我将不胜感激.
If anybody has some pointers to an open API or some examples I would appreciate it.
推荐答案
Daniel 发布的答案非常有帮助.非常感谢你,丹尼尔!
The answer posted by Daniel was HUGELY helpful. Thank you so much, Daniel!
微软文档的问题是它们表明注册表值包含二进制形式的 ACL.因此,例如,如果您尝试设置机器的默认访问权限(而不是每个进程),您将访问注册表项 HKEY_LOCAL_MACHINESOFTWAREMicrosoftOleDefaultAccessPermission.但是,在我最初尝试使用 System.Security.AccessControl.RawACL 类访问此密钥时失败了.
An issue with Microsoft's documentation is that they indicate that the registry values contain an ACL in binary form. So, for instance, if you were trying to set the machine's default access (rather than per-process), you would be accessing registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftOleDefaultAccessPermission. However, in my initial attempts to access this key using the System.Security.AccessControl.RawACL class were failing.
正如 Daniel 的代码所指出的,该值实际上不是一个 ACL,而是一个包含 ACL 的 SecurityDescriptor.
As Daniel's code indicate's the value is not actually an ACL, but really is a SecurityDescriptor with the ACL in it.
所以,即使我知道这篇文章很旧,我还是要发布我的解决方案,用于检查和设置安全设置并为默认本地访问添加 NetworkService.当然,我敢肯定,您可以采用它并使其变得更好,但要开始使用,您只需更改密钥和访问掩码.
So, even though I know this post is old, I'm going to post my solution for checking and setting the security settings and adding NetworkService for Default local access. Of course, you could take this and make it better I'm sure, but to get started you would simply need to change the key and the access mask.
static class ComACLRights{
public const int COM_RIGHTS_EXECUTE= 1;
public const int COM_RIGHTS_EXECUTE_LOCAL = 2;
public const int COM_RIGHTS_EXECUTE_REMOTE = 4;
public const int COM_RIGHTS_ACTIVATE_LOCAL = 8;
public const int COM_RIGHTS_ACTIVATE_REMOTE = 16;
}
class Program
{
static void Main(string[] args)
{
var value = Registry.GetValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole", "DefaultAccessPermission", null);
RawSecurityDescriptor sd;
RawAcl acl;
if (value == null)
{
System.Console.WriteLine("Default Access Permission key has not been created yet");
sd = new RawSecurityDescriptor("");
}else{
sd = new RawSecurityDescriptor(value as byte[], 0);
}
acl = sd.DiscretionaryAcl;
bool found = false;
foreach (CommonAce ca in acl)
{
if (ca.SecurityIdentifier.IsWellKnown(WellKnownSidType.NetworkServiceSid))
{
//ensure local access is set
ca.AccessMask |= ComACLRights.COM_RIGHTS_EXECUTE | ComACLRights.COM_RIGHTS_EXECUTE_LOCAL | ComACLRights.COM_RIGHTS_ACTIVATE_LOCAL; //set local access. Always set execute
found = true;
break;
}
}
if(!found){
//Network Service was not found. Add it to the ACL
SecurityIdentifier si = new SecurityIdentifier(
WellKnownSidType.NetworkServiceSid, null);
CommonAce ca = new CommonAce(
AceFlags.None,
AceQualifier.AccessAllowed,
ComACLRights.COM_RIGHTS_EXECUTE | ComACLRights.COM_RIGHTS_EXECUTE_LOCAL | ComACLRights.COM_RIGHTS_ACTIVATE_LOCAL,
si,
false,
null);
acl.InsertAce(acl.Count, ca);
}
//re-set the ACL
sd.DiscretionaryAcl = acl;
byte[] binaryform = new byte[sd.BinaryLength];
sd.GetBinaryForm(binaryform, 0);
Registry.SetValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole", "DefaultAccessPermission", binaryform, RegistryValueKind.Binary);
}
}
这篇关于dcomcnfg 功能以编程方式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
