24 Jan
2021
24 Jan
'21
8:35 p.m.
https://git.reactos.org/?p=reactos.git;a=commitdiff;h=c0caa5c0aeed5f20b4af1…
commit c0caa5c0aeed5f20b4af12f1fdcd46f1db6db0d2
Author: Eric Kohl <eric.kohl(a)reactos.org>
AuthorDate: Sun Jan 24 21:35:33 2021 +0100
Commit: Eric Kohl <eric.kohl(a)reactos.org>
CommitDate: Sun Jan 24 21:35:33 2021 +0100
[SYSSETUP][INF] Add lockout setup to the security profile
---
dll/win32/syssetup/security.c | 141 ++++++++++++++++++++++++++++++++++++++++++
media/inf/defltsv.inf | 6 ++
media/inf/defltwk.inf | 6 ++
3 files changed, 153 insertions(+)
diff --git a/dll/win32/syssetup/security.c b/dll/win32/syssetup/security.c
index d92c201831d..4a2f0b41e29 100644
--- a/dll/win32/syssetup/security.c
+++ b/dll/win32/syssetup/security.c
@@ -19,6 +19,7 @@
#include <debug.h>
#define TICKS_PER_DAY -864000000000LL
+#define TICKS_PER_SECOND -600000000LL
/* FUNCTIONS ****************************************************************/
@@ -962,6 +963,145 @@ done:
}
+static
+VOID
+ApplyLockoutSettings(
+ _In_ HINF hSecurityInf,
+ _In_ PWSTR pszSectionName)
+{
+ INFCONTEXT InfContext;
+ DOMAIN_LOCKOUT_INFORMATION LockoutInfo;
+ PPOLICY_ACCOUNT_DOMAIN_INFO OrigInfo = NULL;
+ LSA_OBJECT_ATTRIBUTES ObjectAttributes;
+ LSA_HANDLE PolicyHandle = NULL;
+ SAM_HANDLE ServerHandle = NULL;
+ SAM_HANDLE DomainHandle = NULL;
+ INT nValue;
+ NTSTATUS Status;
+
+ DPRINT("ApplyLockoutSettings()\n");
+
+ memset(&ObjectAttributes, 0, sizeof(LSA_OBJECT_ATTRIBUTES));
+ ObjectAttributes.Length = sizeof(LSA_OBJECT_ATTRIBUTES);
+
+ Status = LsaOpenPolicy(NULL,
+ &ObjectAttributes,
+ POLICY_VIEW_LOCAL_INFORMATION | POLICY_TRUST_ADMIN,
+ &PolicyHandle);
+ if (Status != STATUS_SUCCESS)
+ {
+ DPRINT1("LsaOpenPolicy() failed (Status: 0x%08lx)\n", Status);
+ return;
+ }
+
+ Status = LsaQueryInformationPolicy(PolicyHandle,
+ PolicyAccountDomainInformation,
+ (PVOID *)&OrigInfo);
+ if (!NT_SUCCESS(Status))
+ {
+ DPRINT1("LsaQueryInformationPolicy() failed (Status: 0x%08lx)\n",
Status);
+ goto done;
+ }
+
+ Status = SamConnect(NULL,
+ &ServerHandle,
+ SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN,
+ NULL);
+ if (!NT_SUCCESS(Status))
+ {
+ DPRINT1("SamConnect() failed (Status: 0x%08lx)\n", Status);
+ goto done;
+ }
+
+ Status = SamOpenDomain(ServerHandle,
+ DOMAIN_READ_PASSWORD_PARAMETERS |
DOMAIN_WRITE_PASSWORD_PARAMS,
+ OrigInfo->DomainSid,
+ &DomainHandle);
+ if (!NT_SUCCESS(Status))
+ {
+ DPRINT1("SamOpenDomain() failed (Status: 0x%08lx)\n", Status);
+ goto done;
+ }
+
+ Status = SamQueryInformationDomain(DomainHandle,
+ DomainLockoutInformation,
+ (PVOID*)&LockoutInfo);
+ if (!NT_SUCCESS(Status))
+ {
+ DPRINT1("SamQueryInformationDomain() failed (Status %08lx)\n",
Status);
+ goto done;
+ }
+
+ if (SetupFindFirstLineW(hSecurityInf,
+ pszSectionName,
+ L"LockoutBadCount",
+ &InfContext))
+ {
+ if (SetupGetIntField(&InfContext, 1, &nValue))
+ {
+ if (nValue >= 0)
+ {
+ LockoutInfo.LockoutThreshold = nValue;
+ }
+ }
+ }
+
+ if (SetupFindFirstLineW(hSecurityInf,
+ pszSectionName,
+ L"ResetLockoutCount",
+ &InfContext))
+ {
+ if (SetupGetIntField(&InfContext, 1, &nValue))
+ {
+ if (nValue >= 0)
+ {
+ LockoutInfo.LockoutObservationWindow.QuadPart = (LONGLONG)nValue *
TICKS_PER_SECOND;
+ }
+ }
+ }
+
+ if (SetupFindFirstLineW(hSecurityInf,
+ pszSectionName,
+ L"LockoutDuration",
+ &InfContext))
+ {
+ if (SetupGetIntField(&InfContext, 1, &nValue))
+ {
+ if (nValue == -1)
+ {
+ LockoutInfo.LockoutDuration.QuadPart = 0x8000000000000000LL;
+ }
+ else if ((nValue >= 0) && (nValue < 100000))
+ {
+ LockoutInfo.LockoutDuration.QuadPart = (LONGLONG)nValue *
TICKS_PER_SECOND;
+ }
+ }
+ }
+
+ Status = SamSetInformationDomain(DomainHandle,
+ DomainLockoutInformation,
+ (PVOID*)&LockoutInfo);
+ if (!NT_SUCCESS(Status))
+ {
+ DPRINT1("SamSetInformationDomain() failed (Status %08lx)\n", Status);
+ goto done;
+ }
+
+done:
+ if (DomainHandle != NULL)
+ SamCloseHandle(DomainHandle);
+
+ if (ServerHandle != NULL)
+ SamCloseHandle(ServerHandle);
+
+ if (OrigInfo != NULL)
+ LsaFreeMemory(OrigInfo);
+
+ if (PolicyHandle != NULL)
+ LsaClose(PolicyHandle);
+}
+
+
static
VOID
ApplyAuditEvents(
@@ -1129,6 +1269,7 @@ InstallSecurity(VOID)
ApplyEventlogSettings(hSecurityInf, L"System Log",
L"System");
ApplyPasswordSettings(hSecurityInf, L"System Access");
+ ApplyLockoutSettings(hSecurityInf, L"System Access");
ApplyAuditEvents(hSecurityInf);
diff --git a/media/inf/defltsv.inf b/media/inf/defltsv.inf
index ce3b7d78ba6..8aba23b7a60 100644
--- a/media/inf/defltsv.inf
+++ b/media/inf/defltsv.inf
@@ -5,6 +5,7 @@
Signature = "$Windows NT$"
[System Access]
+; Password Options
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
@@ -13,6 +14,11 @@ PasswordHistorySize = 0
RequireLogonToChangePassword = 0
ClearTextPassword = 0
+; Lockout Options
+LockoutBadCount = 0
+;ResetLockoutCount = 30
+;LockoutDuration = 30
+
[Application Log]
MaximumLogSize = 16384
AuditLogRetentionPeriod = 0
diff --git a/media/inf/defltwk.inf b/media/inf/defltwk.inf
index 020b59c4d26..2996a6d94ed 100644
--- a/media/inf/defltwk.inf
+++ b/media/inf/defltwk.inf
@@ -5,6 +5,7 @@
Signature = "$Windows NT$"
[System Access]
+; Password Options
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
@@ -13,6 +14,11 @@ PasswordHistorySize = 0
RequireLogonToChangePassword = 0
ClearTextPassword = 0
+; Lockout Options
+LockoutBadCount = 0
+;ResetLockoutCount = 30
+;LockoutDuration = 30
+
[Application Log]
MaximumLogSize = 512
AuditLogRetentionPeriod = 1