24 Jan
2021
24 Jan
'21
2:28 p.m.
https://git.reactos.org/?p=reactos.git;a=commitdiff;h=83f3bd8bd646c73ed99d3…
commit 83f3bd8bd646c73ed99d3b6595b2d54e7c5ae543
Author: Eric Kohl <eric.kohl(a)reactos.org>
AuthorDate: Sun Jan 24 15:28:23 2021 +0100
Commit: Eric Kohl <eric.kohl(a)reactos.org>
CommitDate: Sun Jan 24 15:28:23 2021 +0100
[SYSSETUP][INF] Add password setup to the security profile
---
dll/win32/syssetup/security.c | 208 ++++++++++++++++++++++++++++++++++++++++++
media/inf/defltsv.inf | 9 ++
media/inf/defltwk.inf | 11 ++-
3 files changed, 227 insertions(+), 1 deletion(-)
diff --git a/dll/win32/syssetup/security.c b/dll/win32/syssetup/security.c
index ff2c329dc2e..d92c201831d 100644
--- a/dll/win32/syssetup/security.c
+++ b/dll/win32/syssetup/security.c
@@ -18,6 +18,8 @@
#define NDEBUG
#include <debug.h>
+#define TICKS_PER_DAY -864000000000LL
+
/* FUNCTIONS ****************************************************************/
NTSTATUS
@@ -756,6 +758,210 @@ ApplyEventlogSettings(
}
+static
+VOID
+ApplyPasswordSettings(
+ _In_ HINF hSecurityInf,
+ _In_ PWSTR pszSectionName)
+{
+ INFCONTEXT InfContext;
+ DOMAIN_PASSWORD_INFORMATION PasswordInfo;
+ PPOLICY_ACCOUNT_DOMAIN_INFO OrigInfo = NULL;
+ LSA_OBJECT_ATTRIBUTES ObjectAttributes;
+ LSA_HANDLE PolicyHandle = NULL;
+ SAM_HANDLE ServerHandle = NULL;
+ SAM_HANDLE DomainHandle = NULL;
+ INT nValue;
+ NTSTATUS Status;
+
+ DPRINT("ApplyPasswordSettings()\n");
+
+ memset(&ObjectAttributes, 0, sizeof(LSA_OBJECT_ATTRIBUTES));
+ ObjectAttributes.Length = sizeof(LSA_OBJECT_ATTRIBUTES);
+
+ Status = LsaOpenPolicy(NULL,
+ &ObjectAttributes,
+ POLICY_VIEW_LOCAL_INFORMATION | POLICY_TRUST_ADMIN,
+ &PolicyHandle);
+ if (Status != STATUS_SUCCESS)
+ {
+ DPRINT1("LsaOpenPolicy() failed (Status: 0x%08lx)\n", Status);
+ return;
+ }
+
+ Status = LsaQueryInformationPolicy(PolicyHandle,
+ PolicyAccountDomainInformation,
+ (PVOID *)&OrigInfo);
+ if (!NT_SUCCESS(Status))
+ {
+ DPRINT1("LsaQueryInformationPolicy() failed (Status: 0x%08lx)\n",
Status);
+ goto done;
+ }
+
+ Status = SamConnect(NULL,
+ &ServerHandle,
+ SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN,
+ NULL);
+ if (!NT_SUCCESS(Status))
+ {
+ DPRINT1("SamConnect() failed (Status: 0x%08lx)\n", Status);
+ goto done;
+ }
+
+ Status = SamOpenDomain(ServerHandle,
+ DOMAIN_READ_PASSWORD_PARAMETERS |
DOMAIN_WRITE_PASSWORD_PARAMS,
+ OrigInfo->DomainSid,
+ &DomainHandle);
+ if (!NT_SUCCESS(Status))
+ {
+ DPRINT1("SamOpenDomain() failed (Status: 0x%08lx)\n", Status);
+ goto done;
+ }
+
+ Status = SamQueryInformationDomain(DomainHandle,
+ DomainPasswordInformation,
+ (PVOID*)&PasswordInfo);
+ if (!NT_SUCCESS(Status))
+ {
+ DPRINT1("SamQueryInformationDomain() failed (Status %08lx)\n",
Status);
+ goto done;
+ }
+
+ DPRINT("MaximumPasswordAge (OldValue) : 0x%I64x\n",
PasswordInfo.MaxPasswordAge.QuadPart);
+ if (SetupFindFirstLineW(hSecurityInf,
+ pszSectionName,
+ L"MaximumPasswordAge",
+ &InfContext))
+ {
+ if (SetupGetIntField(&InfContext, 1, &nValue))
+ {
+ DPRINT("Value: %ld\n", nValue);
+ if (nValue == -1)
+ {
+ PasswordInfo.MaxPasswordAge.QuadPart = 0x8000000000000000;
+ }
+ else if ((nValue >= 1) && (nValue < 1000))
+ {
+ PasswordInfo.MaxPasswordAge.QuadPart = (LONGLONG)nValue * TICKS_PER_DAY;
+ }
+ DPRINT("MaximumPasswordAge (NewValue) : 0x%I64x\n",
PasswordInfo.MaxPasswordAge.QuadPart);
+ }
+ }
+
+ DPRINT("MinimumPasswordAge (OldValue) : 0x%I64x\n",
PasswordInfo.MinPasswordAge.QuadPart);
+ if (SetupFindFirstLineW(hSecurityInf,
+ pszSectionName,
+ L"MinimumPasswordAge",
+ &InfContext))
+ {
+ if (SetupGetIntField(&InfContext, 1, &nValue))
+ {
+ DPRINT("Wert: %ld\n", nValue);
+ if ((nValue >= 0) && (nValue < 1000))
+ {
+ if (PasswordInfo.MaxPasswordAge.QuadPart < (LONGLONG)nValue *
TICKS_PER_DAY)
+ PasswordInfo.MinPasswordAge.QuadPart = (LONGLONG)nValue *
TICKS_PER_DAY;
+ }
+ DPRINT("MinimumPasswordAge (NewValue) : 0x%I64x\n",
PasswordInfo.MinPasswordAge.QuadPart);
+ }
+ }
+
+ DPRINT("MinimumPasswordLength (OldValue) : %lu\n",
PasswordInfo.MinPasswordLength);
+ if (SetupFindFirstLineW(hSecurityInf,
+ pszSectionName,
+ L"MinimumPasswordLength",
+ &InfContext))
+ {
+ if (SetupGetIntField(&InfContext, 1, &nValue))
+ {
+ DPRINT("Value: %ld\n", nValue);
+ if ((nValue >= 0) && (nValue <= 65535))
+ {
+ PasswordInfo.MinPasswordLength = nValue;
+ }
+ DPRINT("MinimumPasswordLength (NewValue) : %lu\n",
PasswordInfo.MinPasswordLength);
+ }
+ }
+
+ DPRINT("PasswordHistoryLength (OldValue) : %lu\n",
PasswordInfo.PasswordHistoryLength);
+ if (SetupFindFirstLineW(hSecurityInf,
+ pszSectionName,
+ L"PasswordHistorySize",
+ &InfContext))
+ {
+ if (SetupGetIntField(&InfContext, 1, &nValue))
+ {
+ DPRINT("Value: %ld\n", nValue);
+ if ((nValue >= 0) && (nValue <= 65535))
+ {
+ PasswordInfo.PasswordHistoryLength = nValue;
+ }
+ DPRINT("PasswordHistoryLength (NewValue) : %lu\n",
PasswordInfo.PasswordHistoryLength);
+ }
+ }
+
+ if (SetupFindFirstLineW(hSecurityInf,
+ pszSectionName,
+ L"PasswordComplexity",
+ &InfContext))
+ {
+ if (SetupGetIntField(&InfContext, 1, &nValue))
+ {
+ if (nValue == 0)
+ {
+ PasswordInfo.PasswordProperties &= ~DOMAIN_PASSWORD_COMPLEX;
+ }
+ else
+ {
+ PasswordInfo.PasswordProperties |= DOMAIN_PASSWORD_COMPLEX;
+ }
+ }
+ }
+
+ if (SetupFindFirstLineW(hSecurityInf,
+ pszSectionName,
+ L"ClearTextPassword",
+ &InfContext))
+ {
+ if (SetupGetIntField(&InfContext, 1, &nValue))
+ {
+ if (nValue == 0)
+ {
+ PasswordInfo.PasswordProperties &= ~DOMAIN_PASSWORD_STORE_CLEARTEXT;
+ }
+ else
+ {
+ PasswordInfo.PasswordProperties |= DOMAIN_PASSWORD_STORE_CLEARTEXT;
+ }
+ }
+ }
+
+ /* Windows ignores the RequireLogonToChangePassword option */
+
+ Status = SamSetInformationDomain(DomainHandle,
+ DomainPasswordInformation,
+ (PVOID*)&PasswordInfo);
+ if (!NT_SUCCESS(Status))
+ {
+ DPRINT1("SamSetInformationDomain() failed (Status %08lx)\n", Status);
+ goto done;
+ }
+
+done:
+ if (DomainHandle != NULL)
+ SamCloseHandle(DomainHandle);
+
+ if (ServerHandle != NULL)
+ SamCloseHandle(ServerHandle);
+
+ if (OrigInfo != NULL)
+ LsaFreeMemory(OrigInfo);
+
+ if (PolicyHandle != NULL)
+ LsaClose(PolicyHandle);
+}
+
+
static
VOID
ApplyAuditEvents(
@@ -922,6 +1128,8 @@ InstallSecurity(VOID)
ApplyEventlogSettings(hSecurityInf, L"Security Log",
L"Security");
ApplyEventlogSettings(hSecurityInf, L"System Log",
L"System");
+ ApplyPasswordSettings(hSecurityInf, L"System Access");
+
ApplyAuditEvents(hSecurityInf);
SetupCloseInfFile(hSecurityInf);
diff --git a/media/inf/defltsv.inf b/media/inf/defltsv.inf
index d64c30d339a..ce3b7d78ba6 100644
--- a/media/inf/defltsv.inf
+++ b/media/inf/defltsv.inf
@@ -4,6 +4,15 @@
[Version]
Signature = "$Windows NT$"
+[System Access]
+MinimumPasswordAge = 0
+MaximumPasswordAge = 42
+MinimumPasswordLength = 0
+PasswordComplexity = 0
+PasswordHistorySize = 0
+RequireLogonToChangePassword = 0
+ClearTextPassword = 0
+
[Application Log]
MaximumLogSize = 16384
AuditLogRetentionPeriod = 0
diff --git a/media/inf/defltwk.inf b/media/inf/defltwk.inf
index 540edd39416..020b59c4d26 100644
--- a/media/inf/defltwk.inf
+++ b/media/inf/defltwk.inf
@@ -4,6 +4,15 @@
[Version]
Signature = "$Windows NT$"
+[System Access]
+MinimumPasswordAge = 0
+MaximumPasswordAge = 42
+MinimumPasswordLength = 0
+PasswordComplexity = 0
+PasswordHistorySize = 0
+RequireLogonToChangePassword = 0
+ClearTextPassword = 0
+
[Application Log]
MaximumLogSize = 512
AuditLogRetentionPeriod = 1
@@ -38,8 +47,8 @@ SeAuditPrivilege = *S-1-5-19, *S-1-5-20
SeBackupPrivilege = *S-1-5-32-544, *S-1-5-32-551
SeBatchLogonRight =
SeChangeNotifyPrivilege = *S-1-1-0, *S-1-5-32-544, *S-1-5-32-545, *S-1-5-32-551
-SeCreatePagefilePrivilege = *S-1-5-32-544
SeCreateGlobalPrivilege = *S-1-5-4, *S-1-5-6, *S-1-5-32-544
+SeCreatePagefilePrivilege = *S-1-5-32-544
SeCreatePermanentPrivilege =
SeCreateTokenPrivilege =
SeDebugPrivilege = *S-1-5-32-544
1334
days inactive
1334
days old
0 comments
1 participants
participants (1)
-
Eric Kohl