DCOMCNFG功能编程 [英] dcomcnfg functionality programmatically
问题描述
我可以找到各种各样的东西,如何为DCOM的程序,但几乎没有什么了解如何设置/编程检查安全。
I can find all sorts of stuff on how to program for DCOM, but practically nothing on how to set/check the security programmatically.
我并不想重新DCOMCNFG,但是如果我知道如何重现在C#(preferred,或VB.net),那么我的目标就在眼前DCOMCNFG的所有功能。
I'm not trying to recreate dcomcnfg, but if I knew how to reproduce all the functionality of dcomcnfg in C# (preferred, or VB.net) then my goal is in sight.
我不能似乎能够找到对这个有什么好的资源,不开源的API或如何做的每一步,甚至简单的例子。即使在这里DCOM或DCOMCNFG返回很少结果,并没有真正关心如何设置/检查/列表的安全性。
I can't seem to be able to find any good resource on this, no open source API's or even quick examples of how to do each step. Even here DCOM or dcomcnfg returns few results and none really about how to set/verify/list security.
如果任何人有一些指引,以一个开放的API或一些例子我想AP preciate吧。
If anybody has some pointers to an open API or some examples I would appreciate it.
推荐答案
发表丹尼尔的答案是非常有帮助的。太谢谢你了,牛!
The answer posted by Daniel was HUGELY helpful. Thank you so much, Daniel!
与微软的一个问题文档是,它们表明注册表值包含二进制形式的访问控制列表。所以,举例来说,如果你想设置机器的默认访问(而不是每个进程),你会被访问的注册表项HKEY_LOCAL_MACHINE \ SOFTWARE \微软\的Ole \ DefaultAccessPermission。然而,在我最初尝试使用System.Security.AccessControl.RawACL类都没有访问此密钥。
An issue with Microsoft's documentation is that they indicate that the registry values contain an ACL in binary form. So, for instance, if you were trying to set the machine's default access (rather than per-process), you would be accessing registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission. However, in my initial attempts to access this key using the System.Security.AccessControl.RawACL class were failing.
由于丹尼尔的code表示的价值是不实际的ACL,但实际上是在它的ACL中的SecurityDescriptor。
As Daniel's code indicate's the value is not actually an ACL, but really is a SecurityDescriptor with the ACL in it.
所以,尽管我知道这个帖子是老了,我要发表我的检查和设置安全设置,并增加网络服务的默认本地接入解决方案。当然,你可以借此提高自己的水平我敢肯定,但要开始,你就只需要更改密钥和访问掩码。
So, even though I know this post is old, I'm going to post my solution for checking and setting the security settings and adding NetworkService for Default local access. Of course, you could take this and make it better I'm sure, but to get started you would simply need to change the key and the access mask.
static class ComACLRights{
public const int COM_RIGHTS_EXECUTE= 1;
public const int COM_RIGHTS_EXECUTE_LOCAL = 2;
public const int COM_RIGHTS_EXECUTE_REMOTE = 4;
public const int COM_RIGHTS_ACTIVATE_LOCAL = 8;
public const int COM_RIGHTS_ACTIVATE_REMOTE = 16;
}
class Program
{
static void Main(string[] args)
{
var value = Registry.GetValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole", "DefaultAccessPermission", null);
RawSecurityDescriptor sd;
RawAcl acl;
if (value == null)
{
System.Console.WriteLine("Default Access Permission key has not been created yet");
sd = new RawSecurityDescriptor("");
}else{
sd = new RawSecurityDescriptor(value as byte[], 0);
}
acl = sd.DiscretionaryAcl;
bool found = false;
foreach (CommonAce ca in acl)
{
if (ca.SecurityIdentifier.IsWellKnown(WellKnownSidType.NetworkServiceSid))
{
//ensure local access is set
ca.AccessMask |= ComACLRights.COM_RIGHTS_EXECUTE | ComACLRights.COM_RIGHTS_EXECUTE_LOCAL | ComACLRights.COM_RIGHTS_ACTIVATE_LOCAL; //set local access. Always set execute
found = true;
break;
}
}
if(!found){
//Network Service was not found. Add it to the ACL
SecurityIdentifier si = new SecurityIdentifier(
WellKnownSidType.NetworkServiceSid, null);
CommonAce ca = new CommonAce(
AceFlags.None,
AceQualifier.AccessAllowed,
ComACLRights.COM_RIGHTS_EXECUTE | ComACLRights.COM_RIGHTS_EXECUTE_LOCAL | ComACLRights.COM_RIGHTS_ACTIVATE_LOCAL,
si,
false,
null);
acl.InsertAce(acl.Count, ca);
}
//re-set the ACL
sd.DiscretionaryAcl = acl;
byte[] binaryform = new byte[sd.BinaryLength];
sd.GetBinaryForm(binaryform, 0);
Registry.SetValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole", "DefaultAccessPermission", binaryform, RegistryValueKind.Binary);
}
}
这篇关于DCOMCNFG功能编程的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
