locked
Security Descriptor in FwpmFilterAdd0 RRS feed

  • Question

  • Hi,

    I'm searching for an example or explanation where a own Security Descriptor (SD) is directly passed as Argument while calling FwpmFilterAdd0 function to add own security rules to the new filter. In the examples in the MSDN I only see that there is passed NULL while creating and in the "Hindering Filter deletion" example the SD is created later. Passing NULL while creating the filter tells the WFP to you the SD from the Sublay, right? (inheritance)

    The second questing is nearly the same. How do I create easiest a own SD? Should I use the FwpmSubLayerGetSecurityInfoByKey0 to fetch the SD from the Sublayer where I plan to add my filter and then modify it or must I use a other way? (BuildSecurtyDescriptor function and build it completly new on my own?)

    If someone can provide me information on SDs I will be very grateful.

    Thanks
    Novan
    Tuesday, May 19, 2009 4:06 PM

Answers

  • Hi,

    The Security Descriptor is actually inherited from the FWPM_FILTER0 container (This is true for the other objects as well i.e. The Security Descriptor for FwpmSubLayerAdd0() is by default inherited from teh FWPM_SUBLAYER0 container).  The ACL on the Filters by default is:

    "O:LSG:LSD:AI(A;ID;0xf07ff;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;0x307ff;;;NO)(A;OICIIOID;GXGWGR;;;NO)(A;ID;0x307ff;;;S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052)(A;OICIIOID;GXGWGR;;;S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052)(A;ID;0x307ff;;;S-1-5-80-2006800713-1441093265-249754844-3404434343-1444102779)(A;OICIIOID;GXGWGR;;;S-1-5-80-2006800713-1441093265-249754844-3404434343-1444102779)(A;ID;0x203f4;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;OICIIOID;GXGR;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;ID;0x307ff;;;S-1-5-80-3044542841-3639452079-4096941652-1606687743-1256249853)(A;OICIIOID;GXGWGR;;;S-1-5-80-3044542841-3639452079-4096941652-1606687743-1256249853)(A;ID;0x307ff;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)(A;OICIIOID;GXGWGR;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)(A;ID;0x203f4;;;S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420)(A;OICIIOID;GXGR;;;S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420)(A;OICIID;RPDT;;;WD)"

    THis represents a Security Descriptor where the Owner (O:) is the Local System(LS), the Group(G:) is the Local System (LS), the DACL (D:) is auto inherited (AI) and the rest are the
    ACE strings i.e. (ACCESS_ALLOWED (A;) InHerited (ID;)  Access Rights (0xF07FF;) for Built-in Administrators SID (BA))

    The default can be changed by using FwpmFilterSetSecurityDescriptor0() and passing 0 in for the 2nd paramter (again the other objects follow the same suit).

    Probably the easiest way to create your Security Descriptors is to use the SDDL language and associated APIs to create the Security Descriptor.

    More informatrion on SDDL can be found at http://msdn.microsoft.com/en-us/library/aa379567.aspx.

    I hope this help.
    Dusty Harper [MSFT]
    Wednesday, May 27, 2009 5:39 AM
    Moderator