Re[2]: Shared Files

Hello vishnu,

I am a beginner in the field, so I may be completely wrong. But
anyway, here is what I think I know.

The LanmanRedirector is a FS filter that knows how to parse
requests like “\computerX\share\file.ext” and connects to the
LanmanServer on “computerX” and gets the file from there. So, I
guess you could filter the local FS and if the request comes
from LanmanServer, than it is probably on behalf of a remote
user. But how to detect if the request comes from the
LanmanServer is beyond me.

I still think the better approach is the one with the access
token ( i think LanmanServer must impersonate the remote user in
order to enforce ACL security, therefore the SIDs should hold
all the information you need ).

I hope I’ve got everything right.

–
Best regards,
Alex mailto:xxxxx@bitdefender.com

Monday, September 5, 2005, 1:54:54 PM, you wrote:

Thanx Alex

In the DeviceTree tool of IFS kit I saw “\Device\LanmanServer” and
“\Device\LanmanRedirector” what are they? I thought they are drivers
responsible for file sharing. If it is true then can i write filters on
them.

I want to filter all the file operation on shared files (Including Read and
Write).

VC

“Alex Carp” wrote in message news:xxxxx@ntfsd…
>> Hello vishnu,
>>
>> well, let me quote from Mr. Maxim S. Shatskih’s reply a few days
>> ago:
>> “Filter MJ_CREATE in the FSF, get
>> Parameters->Create.SecurityContext
> from the IRP, get the access
>> token from it, get its group list and check for Network pseudo-group (it
> has the well-known SID).”
>>
>> Also, you can get the user SID from the access token, and then
>> use LsaLookupNames2. I don’t know if such a function is available
>> in kernel mode ( I only need to display the information in user
>> mode … ), perhaps someone can help ?
>>
>>
>>
>>
>> –
>> Best regards,
>> Alex mailto:xxxxx@bitdefender.com
>>
>> Monday, September 5, 2005, 11:57:17 AM, you wrote:
>>
>> > Hi all,
>>
>> > I want to filter file operations on shared files (i.e. all the file
>> > operation done form remote workstations). I want to know the credentials
> of
>> > the user trying to access the file from remote computer. Is it possible?
>>
>> > VC
>>
>>
>>
>> > —
>> > Questions? First check the IFS FAQ at
>> > https://www.osronline.com/article.cfm?id=17
>>
>> > You are currently subscribed to ntfsd as: xxxxx@bitdefender.com
>> > To unsubscribe send a blank email to
>> xxxxx@lists.osr.com
>>
>>
>>
>>
>>
>> –
>> This message was scanned for spam and viruses by BitDefender.
>> For more information please visit http://www.bitdefender.com/
>>
>>

> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17

> You are currently subscribed to ntfsd as: xxxxx@bitdefender.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

–
This message was scanned for spam and viruses by BitDefender.
For more information please visit http://www.bitdefender.com/

You need to filter LanmanRedirector.

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of vishnu P
Sent: Monday, September 05, 2005 3:55 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Shared Files

Thanx Alex

In the DeviceTree tool of IFS kit I saw “\Device\LanmanServer” and
“\Device\LanmanRedirector” what are they? I thought they are drivers
responsible for file sharing. If it is true then can i write filters on
them.

I want to filter all the file operation on shared files (Including Read and
Write).

VC

“Alex Carp” wrote in message news:xxxxx@ntfsd…
> Hello vishnu,
>
> well, let me quote from Mr. Maxim S. Shatskih’s reply a few days
> ago:
> “Filter MJ_CREATE in the FSF, get Parameters->Create.SecurityContext
from the IRP, get the access
> token from it, get its group list and check for Network pseudo-group (it
has the well-known SID).”
>
> Also, you can get the user SID from the access token, and then
> use LsaLookupNames2. I don’t know if such a function is available
> in kernel mode ( I only need to display the information in user
> mode … ), perhaps someone can help ?
>
>
>
>
> –
> Best regards,
> Alex mailto:xxxxx@bitdefender.com
>
> Monday, September 5, 2005, 11:57:17 AM, you wrote:
>
> > Hi all,
>
> > I want to filter file operations on shared files (i.e. all the file
> > operation done form remote workstations). I want to know the credentials
of
> > the user trying to access the file from remote computer. Is it possible?
>
> > VC
>
>
>
> > —
> > Questions? First check the IFS FAQ at
> > https://www.osronline.com/article.cfm?id=17
>
> > You are currently subscribed to ntfsd as: xxxxx@bitdefender.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
>
> –
> This message was scanned for spam and viruses by BitDefender.
> For more information please visit http://www.bitdefender.com/
>
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@rocketdivision.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Why not? Parameters.Create.SecurityContext contains the necessary info.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “vishnu P”
Newsgroups: ntfsd
To: “Windows File Systems Devs Interest List”
Sent: Monday, September 05, 2005 12:57 PM
Subject: [ntfsd] Shared Files

> Hi all,
>
> I want to filter file operations on shared files (i.e. all the file
> operation done form remote workstations). I want to know the credentials of
> the user trying to access the file from remote computer. Is it possible?
>
> VC
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

> Also, you can get the user SID from the access token, and then

use LsaLookupNames2. I don’t know if such a function is available
in kernel mode

I’m nearly sure that not so. LookupAccountName and LsaLookupNames2 require an
RPC call to the domain controller usually, which is not supported in the
kernel. Sorry, the kernel code must work with SIDs only and not usernames.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

\Device\LanmanServer is a control device object used to govern SRV.SYS from
user mode.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “vishnu P”
Newsgroups: ntfsd
To: “Windows File Systems Devs Interest List”
Sent: Monday, September 05, 2005 2:54 PM
Subject: Re:[ntfsd] Shared Files

> Thanx Alex
>
> In the DeviceTree tool of IFS kit I saw “\Device\LanmanServer” and
> “\Device\LanmanRedirector” what are they? I thought they are drivers
> responsible for file sharing. If it is true then can i write filters on
> them.
>
> I want to filter all the file operation on shared files (Including Read and
> Write).
>
> VC
>
> “Alex Carp” wrote in message news:xxxxx@ntfsd…
> > Hello vishnu,
> >
> > well, let me quote from Mr. Maxim S. Shatskih’s reply a few days
> > ago:
> > “Filter MJ_CREATE in the FSF, get Parameters->Create.SecurityContext
> from the IRP, get the access
> > token from it, get its group list and check for Network pseudo-group (it
> has the well-known SID).”
> >
> > Also, you can get the user SID from the access token, and then
> > use LsaLookupNames2. I don’t know if such a function is available
> > in kernel mode ( I only need to display the information in user
> > mode … ), perhaps someone can help ?
> >
> >
> >
> >
> > –
> > Best regards,
> > Alex mailto:xxxxx@bitdefender.com
> >
> > Monday, September 5, 2005, 11:57:17 AM, you wrote:
> >
> > > Hi all,
> >
> > > I want to filter file operations on shared files (i.e. all the file
> > > operation done form remote workstations). I want to know the credentials
> of
> > > the user trying to access the file from remote computer. Is it possible?
> >
> > > VC
> >
> >
> >
> > > —
> > > Questions? First check the IFS FAQ at
> > > https://www.osronline.com/article.cfm?id=17
> >
> > > You are currently subscribed to ntfsd as: xxxxx@bitdefender.com
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> >
> >
> >
> > –
> > This message was scanned for spam and viruses by BitDefender.
> > For more information please visit http://www.bitdefender.com/
> >
> >
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

SecLookupAccountSid has been supported since Windows XP - give it an SID
and it gives you back an account name; there are restrictions for using
it since it does rely upon user mode helper services.

This is all part of ksecdd.sys. Note that ksecdd.lib is distributed for
Windows 2000 in the IFS kit as well, so it is certainly possible the IFS
Kit documentation is overly conservative and this was added at some
point in the lifetime of Windows 2000.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Monday, September 05, 2005 2:40 PM
To: ntfsd redirect
Subject: Re: [ntfsd] Shared Files

Also, you can get the user SID from the access token, and then
use LsaLookupNames2. I don’t know if such a function is
available
in kernel mode

I’m nearly sure that not so. LookupAccountName and LsaLookupNames2
require an
RPC call to the domain controller usually, which is not supported in the
kernel. Sorry, the kernel code must work with SIDs only and not
usernames.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com