locked
WFP object security RRS feed

  • Question

  • I have read MSDN page on "hindering filter deletion", "Forcing filter deletion", "Access Control in WFP" and a few posts here in the forum, and a certain scenario still doesn't make sense to me:

    If I pass a security descriptor to one of the Fwpm***Add functions which specifies a DACL with one deny ACE to world for GENERIC_ALL access, why is it still possible for the administrator (note:  not using the "force delete" method) to simply delete the filter from user mode?

    Dumping the ACE's in the object's DACL from UM shows my deny ACE and some more (inherited?) ace's:

    ACE #0:  Access-denied ACE for rights 000f07ff
    ACE #1:  Access-allowed ACE for rights 000f07ff
    ACE #2:  Access-allowed ACE for rights 000307ff
    ACE #3:  Access-allowed ACE for rights 000307ff
    ACE #4:  Access-allowed ACE for rights 000307ff
    ACE #5:  Access-allowed ACE for rights 000203f4
    ACE #6:  Access-allowed ACE for rights 000307ff
    ACE #7:  Access-allowed ACE for rights 000307ff
    ACE #8:  Access-allowed ACE for rights 000203f4
    ACE #9:  Access-allowed ACE for rights 00000050

    Tuesday, June 25, 2013 3:53 PM