Revisit the algorithm used in 'ConvertFrom-SddlString'

[daxian-dbw]

The function ConvertFrom-SddlString was converted to C# in PR #8341 to improve the startup speed.
The C# code is just a translation of what the script was doing, but there are concerns about the fundamental algorithm used in the original script function (see #8341 (comment)). We need to revisit this cmdlet to make sure it does the right thing.

The review comments in #3936 will be valuable when we revisit this cmdlet.

[KalleOlaviNiemitalo]

There were comments that ConvertFrom-SddlString should use only one access mask enumeration type per invocation, rather than try all of them like it now does if -Type is not specified.

Generic access right bits

SDDL defines GA, GR, GW, and GX for generic access rights. ConvertFrom-SddlString does not currently support these, but it should.

The lack of support is because the FileSystemRights, RegistryRights, ActiveDirectoryRights, MutexRights, SemaphoreRights, and EventWaitHandleRights types used by ConvertFrom-SddlString do not define names for the generic access right bits. For example, FileSystemRights.FullControl equals FILE_ALL_ACCESS = 0x001F01FF, rather than GENERIC_ALL = 0x10000000. Worse, the "GenericRead" name is already taken by ActiveDirectoryRights.GenericRead, which equals DS_GENERIC_READ = 0x00020094, rather than GENERIC_READ = 0x80000000.

The generic access rights actually occur in the DACLs of Registry keys. For example, the security descriptor of HKLM:Software is O:BAG:SYD:PAI(A;CIIO;GA;;;CO)(A;CIIO;GA;;;SY)(A;;KA;;;SY)(A;CIIO;GA;;;BA)(A;;KA;;;BA)(A;CIIO;GR;;;BU)(A;;KR;;;BU)(A;;KR;;;AC)(A;CIIO;GR;;;AC)(A;;KR;;;S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)(A;CIIO;GR;;;S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681), which includes generic access rights GA and GR.

For files though, it seems that the Win32 SetSecurityInfo function maps the generic access rights to type-specific access rights when it merges the inherited ACEs.

Guessing the type of the object from the SDDL string

There was a comment that ConvertFrom-SddlString could recognize type-specific access right strings such as "FA" in ACE strings, and map them to descriptions of the access rights. Unfortunately, this would not be reliable for SDDL strings that have been converted from security descriptors. Likewise, it would not be reliable to guess the type of the object from these and then use that type to describe the access masks that are in hexadecimal form in the SDDL string.

Because ConvertSidToStringSidW does not take a SE_OBJECT_TYPE parameter, it can use type-specific access right strings even for objects of other types, if the access masks happen to match. For example, if you use ICACLS.exe acltest /grant:r "NT SERVICE\TrustedInstaller:(WD,AD,X,RD,REA,WEA,DE,RC,WDAC,WO) and view the SDDL form with either ICACLS.exe acltest /save acltest.acl or (Get-Acl acltest).Sddl, then the DACL will include (A;;KA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464), even though "KA" is intended for Registry keys rather than files. So, both FA and KA can occur in the same SDDL string, and if ConvertFrom-SddlString translates both to FullControl, it will be ambiguous.

[microsoft-github-policy-service]

This issue has been marked as "No Activity" as there has been no activity for 6 months. It has been closed for housekeeping purposes.