| | 1 | | using System; |
| | 2 | | using System.Collections.Concurrent; |
| | 3 | | using System.Collections.Generic; |
| | 4 | | using System.DirectoryServices; |
| | 5 | | using System.Security.AccessControl; |
| | 6 | | using System.Security.Principal; |
| | 7 | | using Microsoft.Extensions.Logging; |
| | 8 | | using SharpHoundCommonLib.Enums; |
| | 9 | | using SharpHoundCommonLib.OutputTypes; |
| | 10 | | using SearchScope = System.DirectoryServices.Protocols.SearchScope; |
| | 11 | |
|
| | 12 | | namespace SharpHoundCommonLib.Processors |
| | 13 | | { |
| | 14 | | public class ACLProcessor |
| | 15 | | { |
| | 16 | | private static readonly Dictionary<Label, string> BaseGuids; |
| 1 | 17 | | private static readonly ConcurrentDictionary<string, string> GuidMap = new(); |
| | 18 | | private static bool _isCacheBuilt; |
| | 19 | | private readonly ILogger _log; |
| | 20 | | private readonly ILDAPUtils _utils; |
| | 21 | |
|
| | 22 | | static ACLProcessor() |
| 1 | 23 | | { |
| | 24 | | //Create a dictionary with the base GUIDs of each object type |
| 1 | 25 | | BaseGuids = new Dictionary<Label, string> |
| 1 | 26 | | { |
| 1 | 27 | | {Label.User, "bf967aba-0de6-11d0-a285-00aa003049e2"}, |
| 1 | 28 | | {Label.Computer, "bf967a86-0de6-11d0-a285-00aa003049e2"}, |
| 1 | 29 | | {Label.Group, "bf967a9c-0de6-11d0-a285-00aa003049e2"}, |
| 1 | 30 | | {Label.Domain, "19195a5a-6da0-11d0-afd3-00c04fd930c9"}, |
| 1 | 31 | | {Label.GPO, "f30e3bc2-9ff0-11d1-b603-0000f80367c1"}, |
| 1 | 32 | | {Label.OU, "bf967aa5-0de6-11d0-a285-00aa003049e2"}, |
| 1 | 33 | | {Label.Container, "bf967a8b-0de6-11d0-a285-00aa003049e2"}, |
| 1 | 34 | | {Label.Configuration, "bf967a87-0de6-11d0-a285-00aa003049e2"}, |
| 1 | 35 | | {Label.RootCA, "3fdfee50-47f4-11d1-a9c3-0000f80367c1"}, |
| 1 | 36 | | {Label.AIACA, "3fdfee50-47f4-11d1-a9c3-0000f80367c1"}, |
| 1 | 37 | | {Label.EnterpriseCA, "ee4aa692-3bba-11d2-90cc-00c04fd91ab1"}, |
| 1 | 38 | | {Label.NTAuthStore, "3fdfee50-47f4-11d1-a9c3-0000f80367c1"}, |
| 1 | 39 | | {Label.CertTemplate, "e5209ca2-3bba-11d2-90cc-00c04fd91ab1"}, |
| 1 | 40 | | {Label.IssuancePolicy, "37cfd85c-6719-4ad8-8f9e-8678ba627563"} |
| 1 | 41 | | }; |
| 1 | 42 | | } |
| | 43 | |
|
| 68 | 44 | | public ACLProcessor(ILDAPUtils utils, bool noGuidCache = false, ILogger log = null, string domain = null) |
| 68 | 45 | | { |
| 68 | 46 | | _utils = utils; |
| 68 | 47 | | _log = log ?? Logging.LogProvider.CreateLogger("ACLProc"); |
| 68 | 48 | | if (!noGuidCache) |
| 35 | 49 | | BuildGUIDCache(domain); |
| 68 | 50 | | } |
| | 51 | |
|
| | 52 | | /// <summary> |
| | 53 | | /// Builds a mapping of GUID -> Name for LDAP rights. Used for rights that are created using an extended sch |
| | 54 | | /// LAPS |
| | 55 | | /// </summary> |
| | 56 | | private void BuildGUIDCache(string domain) |
| 35 | 57 | | { |
| 35 | 58 | | if (_isCacheBuilt) |
| 0 | 59 | | return; |
| | 60 | |
|
| 35 | 61 | | var forest = _utils.GetForest(domain); |
| 35 | 62 | | if (forest == null) |
| 35 | 63 | | { |
| 35 | 64 | | _log.LogError("BuildGUIDCache - Unable to resolve forest"); |
| 35 | 65 | | return; |
| | 66 | | } |
| | 67 | |
|
| 0 | 68 | | var schema = forest.Schema.Name; |
| 0 | 69 | | if (string.IsNullOrEmpty(schema)) |
| 0 | 70 | | { |
| 0 | 71 | | _log.LogError("BuildGUIDCache - Schema string is null or empty"); |
| 0 | 72 | | return; |
| | 73 | | } |
| | 74 | |
|
| 0 | 75 | | _log.LogTrace("Requesting schema from {Schema}", schema); |
| 0 | 76 | | foreach (var entry in _utils.QueryLDAP("(schemaIDGUID=*)", SearchScope.Subtree, |
| 0 | 77 | | new[] {LDAPProperties.SchemaIDGUID, LDAPProperties.Name}, adsPath: schema)) |
| 0 | 78 | | { |
| 0 | 79 | | var name = entry.GetProperty(LDAPProperties.Name)?.ToLower(); |
| 0 | 80 | | var guid = new Guid(entry.GetByteProperty(LDAPProperties.SchemaIDGUID)).ToString(); |
| 0 | 81 | | GuidMap.TryAdd(guid, name); |
| 0 | 82 | | } |
| | 83 | |
|
| 0 | 84 | | _log.LogTrace("BuildGUIDCache - Successfully grabbed schema"); |
| | 85 | |
|
| 0 | 86 | | _isCacheBuilt = true; |
| 35 | 87 | | } |
| | 88 | |
|
| | 89 | | /// <summary> |
| | 90 | | /// Helper function to use commonlib types in IsACLProtected |
| | 91 | | /// </summary> |
| | 92 | | /// <param name="entry"></param> |
| | 93 | | /// <returns></returns> |
| | 94 | | public bool IsACLProtected(ISearchResultEntry entry) |
| 0 | 95 | | { |
| 0 | 96 | | var ntsd = entry.GetByteProperty(LDAPProperties.SecurityDescriptor); |
| 0 | 97 | | return IsACLProtected(ntsd); |
| 0 | 98 | | } |
| | 99 | |
|
| | 100 | | /// <summary> |
| | 101 | | /// Gets the protection state of the access control list |
| | 102 | | /// </summary> |
| | 103 | | /// <param name="ntSecurityDescriptor"></param> |
| | 104 | | /// <returns></returns> |
| | 105 | | public bool IsACLProtected(byte[] ntSecurityDescriptor) |
| 3 | 106 | | { |
| 3 | 107 | | if (ntSecurityDescriptor == null) |
| 1 | 108 | | return false; |
| | 109 | |
|
| 2 | 110 | | var descriptor = _utils.MakeSecurityDescriptor(); |
| 2 | 111 | | descriptor.SetSecurityDescriptorBinaryForm(ntSecurityDescriptor); |
| | 112 | |
|
| 2 | 113 | | return descriptor.AreAccessRulesProtected(); |
| 3 | 114 | | } |
| | 115 | |
|
| | 116 | | /// <summary> |
| | 117 | | /// Helper function to use common lib types and pass appropriate vars to ProcessACL |
| | 118 | | /// </summary> |
| | 119 | | /// <param name="result"></param> |
| | 120 | | /// <param name="searchResult"></param> |
| | 121 | | /// <returns></returns> |
| | 122 | | public IEnumerable<ACE> ProcessACL(ResolvedSearchResult result, ISearchResultEntry searchResult) |
| 0 | 123 | | { |
| 0 | 124 | | var descriptor = searchResult.GetByteProperty(LDAPProperties.SecurityDescriptor); |
| 0 | 125 | | var domain = result.Domain; |
| 0 | 126 | | var type = result.ObjectType; |
| 0 | 127 | | var hasLaps = searchResult.HasLAPS(); |
| 0 | 128 | | var name = result.DisplayName; |
| | 129 | |
|
| 0 | 130 | | return ProcessACL(descriptor, domain, type, hasLaps, name); |
| 0 | 131 | | } |
| | 132 | |
|
| | 133 | | /// <summary> |
| | 134 | | /// Read's the ntSecurityDescriptor from a SearchResultEntry and processes the ACEs in the ACL, filtering ou |
| | 135 | | /// BloodHound is not interested in |
| | 136 | | /// </summary> |
| | 137 | | /// <param name="ntSecurityDescriptor"></param> |
| | 138 | | /// <param name="objectDomain"></param> |
| | 139 | | /// <param name="objectName"></param> |
| | 140 | | /// <param name="objectType"></param> |
| | 141 | | /// <param name="hasLaps"></param> |
| | 142 | | /// <returns></returns> |
| | 143 | | public IEnumerable<ACE> ProcessACL(byte[] ntSecurityDescriptor, string objectDomain, |
| | 144 | | Label objectType, |
| | 145 | | bool hasLaps, string objectName = "") |
| 28 | 146 | | { |
| 28 | 147 | | if (ntSecurityDescriptor == null) |
| 1 | 148 | | { |
| 1 | 149 | | _log.LogDebug("Security Descriptor is null for {Name}", objectName); |
| 1 | 150 | | yield break; |
| | 151 | | } |
| | 152 | |
|
| 27 | 153 | | var descriptor = _utils.MakeSecurityDescriptor(); |
| | 154 | | try |
| 27 | 155 | | { |
| 27 | 156 | | descriptor.SetSecurityDescriptorBinaryForm(ntSecurityDescriptor); |
| 27 | 157 | | } |
| 0 | 158 | | catch (OverflowException) |
| 0 | 159 | | { |
| 0 | 160 | | _log.LogWarning( |
| 0 | 161 | | "Security descriptor on object {Name} exceeds maximum allowable length. Unable to process", |
| 0 | 162 | | objectName); |
| 0 | 163 | | yield break; |
| | 164 | | } |
| | 165 | |
|
| 27 | 166 | | var ownerSid = Helpers.PreProcessSID(descriptor.GetOwner(typeof(SecurityIdentifier))); |
| | 167 | |
|
| 27 | 168 | | if (ownerSid != null) |
| 4 | 169 | | { |
| 4 | 170 | | var resolvedOwner = _utils.ResolveIDAndType(ownerSid, objectDomain); |
| 4 | 171 | | if (resolvedOwner != null) |
| 4 | 172 | | yield return new ACE |
| 4 | 173 | | { |
| 4 | 174 | | PrincipalType = resolvedOwner.ObjectType, |
| 4 | 175 | | PrincipalSID = resolvedOwner.ObjectIdentifier, |
| 4 | 176 | | RightName = EdgeNames.Owns, |
| 4 | 177 | | IsInherited = false |
| 4 | 178 | | }; |
| 4 | 179 | | } |
| | 180 | | else |
| 23 | 181 | | { |
| 23 | 182 | | _log.LogDebug("Owner is null for {Name}", objectName); |
| 23 | 183 | | } |
| | 184 | |
|
| 199 | 185 | | foreach (var ace in descriptor.GetAccessRules(true, true, typeof(SecurityIdentifier))) |
| 60 | 186 | | { |
| 60 | 187 | | if (ace == null) |
| 1 | 188 | | { |
| 1 | 189 | | _log.LogTrace("Skipping null ACE for {Name}", objectName); |
| 1 | 190 | | continue; |
| | 191 | | } |
| | 192 | |
|
| 59 | 193 | | if (ace.AccessControlType() == AccessControlType.Deny) |
| 1 | 194 | | { |
| 1 | 195 | | _log.LogTrace("Skipping deny ACE for {Name}", objectName); |
| 1 | 196 | | continue; |
| | 197 | | } |
| | 198 | |
|
| 58 | 199 | | if (!ace.IsAceInheritedFrom(BaseGuids[objectType])) |
| 6 | 200 | | { |
| 6 | 201 | | _log.LogTrace("Skipping ACE with unmatched GUID/inheritance for {Name}", objectName); |
| 6 | 202 | | continue; |
| | 203 | | } |
| | 204 | |
|
| 52 | 205 | | var ir = ace.IdentityReference(); |
| 52 | 206 | | var principalSid = Helpers.PreProcessSID(ir); |
| | 207 | |
|
| 52 | 208 | | if (principalSid == null) |
| 9 | 209 | | { |
| 9 | 210 | | _log.LogTrace("Pre-Process excluded SID {SID} on {Name}", ir ?? "null", objectName); |
| 9 | 211 | | continue; |
| | 212 | | } |
| | 213 | |
|
| 43 | 214 | | var resolvedPrincipal = _utils.ResolveIDAndType(principalSid, objectDomain); |
| | 215 | |
|
| 43 | 216 | | var aceRights = ace.ActiveDirectoryRights(); |
| | 217 | | //Lowercase this just in case. As far as I know it should always come back that way anyways, but better |
| 43 | 218 | | var aceType = ace.ObjectType().ToString().ToLower(); |
| 43 | 219 | | var inherited = ace.IsInherited(); |
| | 220 | |
|
| 43 | 221 | | GuidMap.TryGetValue(aceType, out var mappedGuid); |
| | 222 | |
|
| 43 | 223 | | _log.LogTrace("Processing ACE with rights {Rights} and guid {GUID} on object {Name}", aceRights, |
| 43 | 224 | | aceType, objectName); |
| | 225 | |
|
| | 226 | | //GenericAll applies to every object |
| 43 | 227 | | if (aceRights.HasFlag(ActiveDirectoryRights.GenericAll)) |
| 9 | 228 | | { |
| 9 | 229 | | if (aceType is ACEGuids.AllGuid or "") |
| 8 | 230 | | yield return new ACE |
| 8 | 231 | | { |
| 8 | 232 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 8 | 233 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 8 | 234 | | IsInherited = inherited, |
| 8 | 235 | | RightName = EdgeNames.GenericAll |
| 8 | 236 | | }; |
| | 237 | | //This is a special case. If we don't continue here, every other ACE will match because GenericAll i |
| 9 | 238 | | continue; |
| | 239 | | } |
| | 240 | |
|
| | 241 | | //WriteDACL and WriteOwner are always useful no matter what the object type is as well because they enab |
| 34 | 242 | | if (aceRights.HasFlag(ActiveDirectoryRights.WriteDacl)) |
| 2 | 243 | | yield return new ACE |
| 2 | 244 | | { |
| 2 | 245 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 2 | 246 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 2 | 247 | | IsInherited = inherited, |
| 2 | 248 | | RightName = EdgeNames.WriteDacl |
| 2 | 249 | | }; |
| | 250 | |
|
| 34 | 251 | | if (aceRights.HasFlag(ActiveDirectoryRights.WriteOwner)) |
| 2 | 252 | | yield return new ACE |
| 2 | 253 | | { |
| 2 | 254 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 2 | 255 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 2 | 256 | | IsInherited = inherited, |
| 2 | 257 | | RightName = EdgeNames.WriteOwner |
| 2 | 258 | | }; |
| | 259 | |
|
| | 260 | | //Cool ACE courtesy of @rookuu. Allows a principal to add itself to a group and no one else |
| 34 | 261 | | if (aceRights.HasFlag(ActiveDirectoryRights.Self) && |
| 34 | 262 | | !aceRights.HasFlag(ActiveDirectoryRights.WriteProperty) && |
| 34 | 263 | | !aceRights.HasFlag(ActiveDirectoryRights.GenericWrite) && objectType == Label.Group && |
| 34 | 264 | | aceType == ACEGuids.WriteMember) |
| 3 | 265 | | yield return new ACE |
| 3 | 266 | | { |
| 3 | 267 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 3 | 268 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 3 | 269 | | IsInherited = inherited, |
| 3 | 270 | | RightName = EdgeNames.AddSelf |
| 3 | 271 | | }; |
| | 272 | |
|
| | 273 | | //Process object type specific ACEs. Extended rights apply to users, domains, computers, and cert templa |
| 33 | 274 | | if (aceRights.HasFlag(ActiveDirectoryRights.ExtendedRight)) |
| 13 | 275 | | { |
| 13 | 276 | | if (objectType == Label.Domain) |
| 4 | 277 | | { |
| 4 | 278 | | if (aceType == ACEGuids.DSReplicationGetChanges) |
| 1 | 279 | | yield return new ACE |
| 1 | 280 | | { |
| 1 | 281 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 1 | 282 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 1 | 283 | | IsInherited = inherited, |
| 1 | 284 | | RightName = EdgeNames.GetChanges |
| 1 | 285 | | }; |
| 3 | 286 | | else if (aceType == ACEGuids.DSReplicationGetChangesAll) |
| 1 | 287 | | yield return new ACE |
| 1 | 288 | | { |
| 1 | 289 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 1 | 290 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 1 | 291 | | IsInherited = inherited, |
| 1 | 292 | | RightName = EdgeNames.GetChangesAll |
| 1 | 293 | | }; |
| 2 | 294 | | else if (aceType == ACEGuids.DSReplicationGetChangesInFilteredSet) |
| 0 | 295 | | yield return new ACE |
| 0 | 296 | | { |
| 0 | 297 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 0 | 298 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 0 | 299 | | IsInherited = inherited, |
| 0 | 300 | | RightName = EdgeNames.GetChangesInFilteredSet |
| 0 | 301 | | }; |
| 2 | 302 | | else if (aceType is ACEGuids.AllGuid or "") |
| 1 | 303 | | yield return new ACE |
| 1 | 304 | | { |
| 1 | 305 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 1 | 306 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 1 | 307 | | IsInherited = inherited, |
| 1 | 308 | | RightName = EdgeNames.AllExtendedRights |
| 1 | 309 | | }; |
| 4 | 310 | | } |
| 9 | 311 | | else if (objectType == Label.User) |
| 3 | 312 | | { |
| 3 | 313 | | if (aceType == ACEGuids.UserForceChangePassword) |
| 1 | 314 | | yield return new ACE |
| 1 | 315 | | { |
| 1 | 316 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 1 | 317 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 1 | 318 | | IsInherited = inherited, |
| 1 | 319 | | RightName = EdgeNames.ForceChangePassword |
| 1 | 320 | | }; |
| 2 | 321 | | else if (aceType is ACEGuids.AllGuid or "") |
| 1 | 322 | | yield return new ACE |
| 1 | 323 | | { |
| 1 | 324 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 1 | 325 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 1 | 326 | | IsInherited = inherited, |
| 1 | 327 | | RightName = EdgeNames.AllExtendedRights |
| 1 | 328 | | }; |
| 3 | 329 | | } |
| 6 | 330 | | else if (objectType == Label.Computer) |
| 2 | 331 | | { |
| | 332 | | //ReadLAPSPassword is only applicable if the computer actually has LAPS. Check the world readabl |
| 2 | 333 | | if (hasLaps) |
| 1 | 334 | | { |
| 1 | 335 | | if (aceType is ACEGuids.AllGuid or "") |
| 1 | 336 | | yield return new ACE |
| 1 | 337 | | { |
| 1 | 338 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 1 | 339 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 1 | 340 | | IsInherited = inherited, |
| 1 | 341 | | RightName = EdgeNames.AllExtendedRights |
| 1 | 342 | | }; |
| 0 | 343 | | else if (mappedGuid is "ms-mcs-admpwd") |
| 0 | 344 | | yield return new ACE |
| 0 | 345 | | { |
| 0 | 346 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 0 | 347 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 0 | 348 | | IsInherited = inherited, |
| 0 | 349 | | RightName = EdgeNames.ReadLAPSPassword |
| 0 | 350 | | }; |
| 1 | 351 | | } |
| 2 | 352 | | } |
| 4 | 353 | | else if (objectType == Label.CertTemplate) |
| 0 | 354 | | { |
| 0 | 355 | | if (aceType is ACEGuids.AllGuid or "") |
| 0 | 356 | | yield return new ACE |
| 0 | 357 | | { |
| 0 | 358 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 0 | 359 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 0 | 360 | | IsInherited = inherited, |
| 0 | 361 | | RightName = EdgeNames.AllExtendedRights |
| 0 | 362 | | }; |
| 0 | 363 | | else if (aceType is ACEGuids.Enroll) |
| 0 | 364 | | yield return new ACE |
| 0 | 365 | | { |
| 0 | 366 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 0 | 367 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 0 | 368 | | IsInherited = inherited, |
| 0 | 369 | | RightName = EdgeNames.Enroll |
| 0 | 370 | | }; |
| 0 | 371 | | } |
| 13 | 372 | | } |
| | 373 | |
|
| | 374 | | //GenericWrite encapsulates WriteProperty, so process them in tandem to avoid duplicate edges |
| 33 | 375 | | if (aceRights.HasFlag(ActiveDirectoryRights.GenericWrite) || |
| 33 | 376 | | aceRights.HasFlag(ActiveDirectoryRights.WriteProperty)) |
| 8 | 377 | | { |
| 8 | 378 | | if (objectType is Label.User |
| 8 | 379 | | or Label.Group |
| 8 | 380 | | or Label.Computer |
| 8 | 381 | | or Label.GPO |
| 8 | 382 | | or Label.CertTemplate |
| 8 | 383 | | or Label.RootCA |
| 8 | 384 | | or Label.EnterpriseCA |
| 8 | 385 | | or Label.AIACA |
| 8 | 386 | | or Label.NTAuthStore |
| 8 | 387 | | or Label.IssuancePolicy) |
| 7 | 388 | | if (aceType is ACEGuids.AllGuid or "") |
| 2 | 389 | | yield return new ACE |
| 2 | 390 | | { |
| 2 | 391 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 2 | 392 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 2 | 393 | | IsInherited = inherited, |
| 2 | 394 | | RightName = EdgeNames.GenericWrite |
| 2 | 395 | | }; |
| | 396 | |
|
| 8 | 397 | | if (objectType == Label.User && aceType == ACEGuids.WriteSPN) |
| 0 | 398 | | yield return new ACE |
| 0 | 399 | | { |
| 0 | 400 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 0 | 401 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 0 | 402 | | IsInherited = inherited, |
| 0 | 403 | | RightName = EdgeNames.WriteSPN |
| 0 | 404 | | }; |
| 8 | 405 | | else if (objectType == Label.Computer && aceType == ACEGuids.WriteAllowedToAct) |
| 1 | 406 | | yield return new ACE |
| 1 | 407 | | { |
| 1 | 408 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 1 | 409 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 1 | 410 | | IsInherited = inherited, |
| 1 | 411 | | RightName = EdgeNames.AddAllowedToAct |
| 1 | 412 | | }; |
| 7 | 413 | | else if (objectType == Label.Computer && aceType == ACEGuids.UserAccountRestrictions) |
| 0 | 414 | | yield return new ACE |
| 0 | 415 | | { |
| 0 | 416 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 0 | 417 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 0 | 418 | | IsInherited = inherited, |
| 0 | 419 | | RightName = EdgeNames.WriteAccountRestrictions |
| 0 | 420 | | }; |
| 7 | 421 | | else if (objectType == Label.Group && aceType == ACEGuids.WriteMember) |
| 4 | 422 | | yield return new ACE |
| 4 | 423 | | { |
| 4 | 424 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 4 | 425 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 4 | 426 | | IsInherited = inherited, |
| 4 | 427 | | RightName = EdgeNames.AddMember |
| 4 | 428 | | }; |
| 3 | 429 | | else if (objectType is Label.User or Label.Computer && aceType == ACEGuids.AddKeyPrincipal) |
| 0 | 430 | | yield return new ACE |
| 0 | 431 | | { |
| 0 | 432 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 0 | 433 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 0 | 434 | | IsInherited = inherited, |
| 0 | 435 | | RightName = EdgeNames.AddKeyCredentialLink |
| 0 | 436 | | }; |
| 3 | 437 | | else if (objectType is Label.CertTemplate) |
| 0 | 438 | | { |
| 0 | 439 | | if (aceType == ACEGuids.PKIEnrollmentFlag) |
| 0 | 440 | | yield return new ACE |
| 0 | 441 | | { |
| 0 | 442 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 0 | 443 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 0 | 444 | | IsInherited = inherited, |
| 0 | 445 | | RightName = EdgeNames.WritePKIEnrollmentFlag |
| 0 | 446 | | }; |
| 0 | 447 | | else if (aceType == ACEGuids.PKINameFlag) |
| 0 | 448 | | yield return new ACE |
| 0 | 449 | | { |
| 0 | 450 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 0 | 451 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 0 | 452 | | IsInherited = inherited, |
| 0 | 453 | | RightName = EdgeNames.WritePKINameFlag |
| 0 | 454 | | }; |
| 0 | 455 | | } |
| 7 | 456 | | } |
| | 457 | |
|
| | 458 | | // EnterpriseCA rights |
| 32 | 459 | | if (objectType == Label.EnterpriseCA) |
| 0 | 460 | | { |
| 0 | 461 | | if (aceType is ACEGuids.Enroll) |
| 0 | 462 | | yield return new ACE |
| 0 | 463 | | { |
| 0 | 464 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 0 | 465 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 0 | 466 | | IsInherited = inherited, |
| 0 | 467 | | RightName = EdgeNames.Enroll |
| 0 | 468 | | }; |
| | 469 | |
|
| 0 | 470 | | var cARights = (CertificationAuthorityRights)aceRights; |
| | 471 | |
|
| | 472 | | // TODO: These if statements are also present in ProcessRegistryEnrollmentPermissions. Move to share |
| 0 | 473 | | if ((cARights & CertificationAuthorityRights.ManageCA) != 0) |
| 0 | 474 | | yield return new ACE |
| 0 | 475 | | { |
| 0 | 476 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 0 | 477 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 0 | 478 | | IsInherited = inherited, |
| 0 | 479 | | RightName = EdgeNames.ManageCA |
| 0 | 480 | | }; |
| 0 | 481 | | if ((cARights & CertificationAuthorityRights.ManageCertificates) != 0) |
| 0 | 482 | | yield return new ACE |
| 0 | 483 | | { |
| 0 | 484 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 0 | 485 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 0 | 486 | | IsInherited = inherited, |
| 0 | 487 | | RightName = EdgeNames.ManageCertificates |
| 0 | 488 | | }; |
| | 489 | |
|
| 0 | 490 | | if ((cARights & CertificationAuthorityRights.Enroll) != 0) |
| 0 | 491 | | yield return new ACE |
| 0 | 492 | | { |
| 0 | 493 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 0 | 494 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 0 | 495 | | IsInherited = inherited, |
| 0 | 496 | | RightName = EdgeNames.Enroll |
| 0 | 497 | | }; |
| 0 | 498 | | } |
| 32 | 499 | | } |
| 25 | 500 | | } |
| | 501 | |
|
| | 502 | | /// <summary> |
| | 503 | | /// Helper function to use commonlib types and pass to ProcessGMSAReaders |
| | 504 | | /// </summary> |
| | 505 | | /// <param name="resolvedSearchResult"></param> |
| | 506 | | /// <param name="searchResultEntry"></param> |
| | 507 | | /// <returns></returns> |
| | 508 | | public IEnumerable<ACE> ProcessGMSAReaders(ResolvedSearchResult resolvedSearchResult, |
| | 509 | | ISearchResultEntry searchResultEntry) |
| 0 | 510 | | { |
| 0 | 511 | | var descriptor = searchResultEntry.GetByteProperty(LDAPProperties.GroupMSAMembership); |
| 0 | 512 | | var domain = resolvedSearchResult.Domain; |
| 0 | 513 | | var name = resolvedSearchResult.DisplayName; |
| | 514 | |
|
| 0 | 515 | | return ProcessGMSAReaders(descriptor, name, domain); |
| 0 | 516 | | } |
| | 517 | |
|
| | 518 | | /// <summary> |
| | 519 | | /// ProcessGMSAMembership with no account name |
| | 520 | | /// </summary> |
| | 521 | | /// <param name="groupMSAMembership"></param> |
| | 522 | | /// <param name="objectDomain"></param> |
| | 523 | | /// <returns></returns> |
| | 524 | | public IEnumerable<ACE> ProcessGMSAReaders(byte[] groupMSAMembership, string objectDomain) |
| 5 | 525 | | { |
| 5 | 526 | | return ProcessGMSAReaders(groupMSAMembership, "", objectDomain); |
| 5 | 527 | | } |
| | 528 | |
|
| | 529 | | /// <summary> |
| | 530 | | /// Processes the msds-groupmsamembership property and returns ACEs representing principals that can read th |
| | 531 | | /// password from an object |
| | 532 | | /// </summary> |
| | 533 | | /// <param name="groupMSAMembership"></param> |
| | 534 | | /// <param name="objectName"></param> |
| | 535 | | /// <param name="objectDomain"></param> |
| | 536 | | /// <returns></returns> |
| | 537 | | public IEnumerable<ACE> ProcessGMSAReaders(byte[] groupMSAMembership, string objectName, string objectDomain) |
| 5 | 538 | | { |
| 5 | 539 | | if (groupMSAMembership == null) |
| 1 | 540 | | { |
| 1 | 541 | | _log.LogDebug("GMSA bytes are null for {Name}", objectName); |
| 1 | 542 | | yield break; |
| | 543 | | } |
| | 544 | |
|
| 4 | 545 | | var descriptor = _utils.MakeSecurityDescriptor(); |
| | 546 | | try |
| 4 | 547 | | { |
| 4 | 548 | | descriptor.SetSecurityDescriptorBinaryForm(groupMSAMembership); |
| 4 | 549 | | } |
| 0 | 550 | | catch (OverflowException) |
| 0 | 551 | | { |
| 0 | 552 | | _log.LogWarning("GMSA ACL length on object {Name} exceeds allowable length. Unable to process", |
| 0 | 553 | | objectName); |
| 0 | 554 | | } |
| | 555 | |
|
| | 556 | |
|
| 20 | 557 | | foreach (var ace in descriptor.GetAccessRules(true, true, typeof(SecurityIdentifier))) |
| 4 | 558 | | { |
| 4 | 559 | | if (ace == null) |
| 1 | 560 | | { |
| 1 | 561 | | _log.LogTrace("Skipping null GMSA ACE for {Name}", objectName); |
| 1 | 562 | | continue; |
| | 563 | | } |
| | 564 | |
|
| 3 | 565 | | if (ace.AccessControlType() == AccessControlType.Deny) |
| 1 | 566 | | { |
| 1 | 567 | | _log.LogTrace("Skipping deny GMSA ACE for {Name}", objectName); |
| 1 | 568 | | continue; |
| | 569 | | } |
| | 570 | |
|
| 2 | 571 | | var ir = ace.IdentityReference(); |
| 2 | 572 | | var principalSid = Helpers.PreProcessSID(ir); |
| | 573 | |
|
| 2 | 574 | | if (principalSid == null) |
| 1 | 575 | | { |
| 1 | 576 | | _log.LogTrace("Pre-Process excluded SID {SID} on {Name}", ir ?? "null", objectName); |
| 1 | 577 | | continue; |
| | 578 | | } |
| | 579 | |
|
| 1 | 580 | | _log.LogTrace("Processing GMSA ACE with principal {Principal}", principalSid); |
| | 581 | |
|
| 1 | 582 | | var resolvedPrincipal = _utils.ResolveIDAndType(principalSid, objectDomain); |
| | 583 | |
|
| 1 | 584 | | if (resolvedPrincipal != null) |
| 1 | 585 | | yield return new ACE |
| 1 | 586 | | { |
| 1 | 587 | | RightName = EdgeNames.ReadGMSAPassword, |
| 1 | 588 | | PrincipalType = resolvedPrincipal.ObjectType, |
| 1 | 589 | | PrincipalSID = resolvedPrincipal.ObjectIdentifier, |
| 1 | 590 | | IsInherited = ace.IsInherited() |
| 1 | 591 | | }; |
| 1 | 592 | | } |
| 4 | 593 | | } |
| | 594 | | } |
| | 595 | | } |