Determine SID of a specific domain or local user (limiting access to a FltMgr comm port)

Dear List,

I have a minifilter driver, which creates a port for communicating with the
user mode.
My task is to limit the port’s security descriptor to only allow one
specified local or domain user to access the communication port. I’ve
already created an empty ACL and tested it successfully: no user had access
to the port. Now I have to add one ACE enytry to this ACL, with the
specified user’s SID. That’s what I’m having difficulties with. :slight_smile:

For example the input would be two UNICODE_STRINGs. One would contain the
domain, and the other the username. (in case of a local user, only one
string for the username)

Thanks in advance for your answer!

Regards,
Szenti

You are probably looking for RtlAddAccessAllowedAce(Ex) ?

Satya
http://www.winprogger.com

Did you do something like I described here? http://www.osronline.com/article.cfm?article=23

If not, you might want to try doing so.

Tony
OSR

Hello Again!

Thank you all for your anwers! I’ve made a little progress… but not fully
okay. Here are the details:
There are two users on the testlab machine: Administrator (the built-in) and
Test.

I’ve placed the SID of the Test user to the Registry so the driver can read
it and add it to the ACE.
(RtlValidSid returns SUCCESS)

If I create an empty ACL and set the port’s security descriptor with
RtlSetDaclSecurityDescriptor, nobody can connect to the port, not even the
local administrator. That’s fine. However If I add one ACE to the ACL with *
RtlAddAccessAllowedAce* then the local Administrator can connect to the port
not just the Test user I’ve stated in the ACE. My goal is to limit the
access to the port to the Test user but forbid the access to the local
administrators.

I’ve tried to add an ACCESS_DENIED_ACE to the end of the ACL but then nobody
can connect. Any ideas? :slight_smile:

Regards,
Szenti

On Tue, Oct 12, 2010 at 8:59 PM, Tony Mason wrote:

> Did you do something like I described here?
> http://www.osronline.com/article.cfm?article=23
>
>
>
> If not, you might want to try doing so.
>
>
>
> Tony
>
> OSR
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

I would guess that is because Administrator is the owner. Try setting the user as the owner.

Satya
http://www.winprogger.com