Reputation: 111
Problem: I need to limit access to a WCF service using only Windows account settings. I have a WCF service with security binding element 'clientCredentialType' set to 'Windows'. Can't change this setting. If I understand correctly, anyone with an authentic windows account is authorized as long as they meet the authorization rules set by the file (EXE) that is hosting that WCF service. So I went into Powershell and queried the settings for that service:
Get-Acl MYSERVICE.exe | Format-List
says:
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Blah\Server\MYSERVICE.exe
Owner : BUILTIN\Administrators
Group : MYDOMAIN\Domain Users
Access : NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:DUD:AI(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;AC)
Every user in my domain seems to have access.
Question, how do I change 'MYDOMAIN\Domain Users' to a different group in my domain so that every domain user (in that group) does not have access?
I have been able to change the list of accounts and their permissions under 'Access' like this:
$perm = "My Other Domain Group","FullControl","Allow"
$rule=New-Object System.Security.AccessControl.FileSystemAccessRule $perm
$myservice_acl.SetAccessRule($rule)
And can presumably explicitly deny or grant access but how do I change the group it inherits from? Or is this the correct approach?
Upvotes: 0
Views: 4853
Reputation: 2935
The Windows Security Descriptor(SD) is broken up into four primary parts:
The Primary Group part of the SD is ignored and has been ignored since Windows 2000 and was preserved for backwards compatability with POSIX operating systems. https://technet.microsoft.com/en-us/library/cc961983.aspx
For your case, the only two fields to concern yourself with are the Owner and the DACL.
In other words, if you are concerned about the SD on your service binary, check the owner and all members of the DACL but not the Primary Group.
EDIT: For the sake of completeness, the SACL is a list of ACEs (trustees and access rights) but instead of governing control, it controls who is audited and for what type of behavior.
Upvotes: 1
Reputation: 200373
Domain users have access via the local group BUILTIN\Users
(joining a computer to a domain automatically adds the group DOMAIN\Domain Users
to the group BUILTIN\Users
on the joining host). The group property of the security identifier has nothing to do with the access.
If you want to prevent access by domain users in general and allow just a particular domain group you'd remove the DOMAIN\Domain Users
ACE and add an ACE for the desired group:
$ace = $myservice_acl.Access |
Where-Object { $_.IdentityReference -eq 'DOMAIN\Domain Users' }
$myservice_acl.RemoveAccessRule($ace)
$ace = New-Object Security.AccessControl.FileSystemAccessRule ('DOMAIN\Other Group', 'FullControl', 'Allow')
$myservice_acl.AddAccessRule($ace)
Set-Acl -AclObject $myservice_acl -Path ...
If you just want to deny access to a particular user you could also create a deny ACE for that user. However, mixing permissions like that tends to become pretty messy pretty fast, so I wouldn't recommend going this route.
Upvotes: 0
Reputation: 111
Group: The security group of the owner.
only users in following groups are able to reach folder\object:
NT AUTHORITY\SYSTEM Allow FullControl,
BUILTIN\Administrators Allow FullControl,
BUILTIN\Users Allow ReadAndExecute, Synchronize,
you should check only access property to add/remove/query who has access to the folder\file
Upvotes: 0