Skip to content

General security

Jump to bottom
ElbyFross edited this page Jan 24, 2020 · 6 revisions

Remarks

A static class that contains an API for work with the Pipes Provider security features.

  • Located at the PipesProvider.Security namespace.

Features

  • Provides high level API for handling LSA policy.
  • Provides high level API for handling users impersonation at WINNT remote devices.
  • Provides high level API for configuring pipes' security.

LogonConfig

A metadata container that stores a data demands for logon process at a remote device. Used into the TryToLogonAtRemoteDevice handler that returns SafeAccessTokenHandle for an impersonated user.

Impersonation of some user (at least guest) demands for an any operation on a remote device.

In case if user name is empty or null, or LogonCongig instance not exist at all then the connection will impersonated as Anonymous (SID NULL).

Look to the ThreadLoop method at the TransmissionLine as an example of the code that use impersonated token. The source is here.

SecurityLevel

An enum that defines requirements for connection establishing. Used by the default ServerLoop handlers provided by the PipesProvider.Server.ServerAPI to standardized way of pipes configuration.

Can be converted to a bunch of pipe's rules via the GetRulesForLevels method.

Options:

  • Anonymous (2)
    • Not demands logon.
    • Demands a Guest user on a server device.
    • Demands allownce to a network access via a Guest accounts.
  • RemoteLogon (4)
    • Demands authentication via a one of profiles on a server.
  • Local (8)
    • A pipe will be available only at the local machine.
  • Administrator (16)
    • An access to a pipe will provided only for administrators. By default allowed via remote authentication.
  • Internal (32)
    • A pipe will controlled only by a server application and system. Any external connection will be blocked.

LSA modification

EXPEREMENTAL - Can be not enough effective. Recommended manual configuration of system rules, security policy, ports access rules.

By default Local Security Authority policy at a WINNT systems not allows anonymous connections to the device. The DNF implements an API that simplifies a device configuration.

For defining of a LSA policy call the SetLocalSecurityAuthority method with a target parameter.

At the moment supported auto configuration only for the SecurityLevel.Anonymous mode.

Links

Related pages

Tutorials

Queries and processors

Authority controller addon

Core

Autorithy Controller

API

Data

Servers

Pipes Prpvider

Networking

Client

Server

Security

Core

UniformQueries

Clone this wiki locally