Implementation of Windows Access Control in. Net (C #) (ACE, SD, DACL, SACL)

Directory

• Authorizationrule: Basic ace
• Accessrule: ACE (in DACL)
• Auditrule: ACE (in SACL)
• Local ace object
• Objectsecurity: SD (DACL, SACL)
• Commonobjectsecurity and nativeobjectsecurity
• Local entity SD

 

Note:

Only managed Secure Access Control APIs are added to. NET Framework 2.0. All the classes in this article are in the system. Security. accesscontrol namespace. Some categories are also located in system. Security. Principal.

 

This article requires readers to be familiar with the basic concepts of secure access control. Therefore, this article will not introduce the meaning of basic concepts, but will only explain the concept execution ing in. net.

 

 

Returned directory

Authorizationrule: Basic ace

First, the most basic element in access control: ACE (access control entry: Access Control item) is stored in the ACL (Access Control List: Access control table, whether it is the ace in the list described later, Ace is essentially for a security subject, so the storage of the security subject identity is necessary.

 

In. net, the basic abstract ace name is an abstract class: authorizationrule (authorization rule ).

Let's take a look at this authorizationrule class (abstract class, inherited only from the object class)

// Basic ace

Abstract class authorizationrule

// Attribute (attribute name: type name)

Identityreference: identityreference;

// ID of the target security subject

// System. Security. Principal. identityreference class

 

Inheritanceflags: inheritanceflags;

// Control inheritance options

 

Isinherited: bool;

// Is this object inherited (or display settings )?

 

Accessmask: int;

// This ace indicates the permission. Both access rules and audit rules are converted to int and saved in this attribute.

 

The identityreference attribute stores the Security subject ID in the ace. in the Windows security control system, the security subject ID is stored as the user ID Sid. in. net, you can use securityidentifier to represent the SID, or use the ntaccount class to represent the Security subject ID with the user account name. Securityidentifier and ntaccount classes are inherited from the identityreference class, and can be converted using the translate method. (All in the system. Security. Principal namespace)

 

Is it abstract? Take a look at the actual execution of ACE below, and the abstract ace attribute above will be familiar with it.

 

 

Returned directory

Accessrule: ACE (in DACL)

The ace in DACL (the ace mentioned above) stores access control information in security objects. Since it is access control, three subjects are missing:

1. Target Security subject (user account)
2. Permissions involved
3. Rule type (allow or deny)

 

The accessrule type in. Net represents the Ace class in DACL. It inherits from the ace base class (the authorizationrule mentioned above). In this case, you can apply the attributes inherited by authorizationrule to the actual application:

1. Target Security subject (User Account): identityreference attribute of the base class authorizationrule
2. Permissions involved: Different accessrule have their own permission enumeration (the name is similar to xxxrights), but will eventually be stored in the accessmask attribute of the base class authorizationrule
3. Rule type (allow or deny): accesscontroltype corresponding to the accessrule attribute. The value is accesscontroltype enumeration (allow or deny)

 

Therefore, because the accessrule class inherits the base class authorizationrule, it is very simple and has only one additional attribute:

[Flags]

Enum accesscontroltype

Allow, deny

 

 

// Ace in DACL

Abstract class accessrule: authorizationrule

// Attribute (attribute name: type name)

Accesscontroltype: accesscontroltype;

 

 

Returned directory

Auditrule: ACE (in SACL)

SACL (system ACL) is also saved in the security description. Its ACE is not for access control, but for security subject and system review information. If the review rule is enabled, the specified security object is accessed or denied, and the related information is entered into the security event thin box by the system.

Like accessrule, auditrule in. Net also inherits the authorizationrule class. The security subject ID of ACE is stored in the identityreference attribute of the base class authorizationrule. Different auditrule also have their own permission enumeration (the same enumeration is used for the corresponding accessrule, And the name is similar to xxxrights ), the enumerated values are stored in the accessmask attribute of the base class authorizationrule.

 

Auditrule class:

[Flags]

Enum auditflags

// Used to specify the audit type

None, // No review

Success, // review after successful access

Failure // post-Access denied Review

 

 

Class auditrule: authorizationrule

// Attribute (attribute name: type name)

Auditflags: auditflags;

// Audit type

 

 

Returned directory

Local ace object

The abstract base classes of half-day ace and the Ace of DACL and SACL are studied. In reality, we only use their derived classes.

Accessrule has the following Derived classes:

System. Security. accesscontrol. cryptokeyaccessrule

System. Security. accesscontrol. eventwaithandleaccessrule

System. Security. accesscontrol. filesystemaccessrule

System. Security. accesscontrol. mutexaccessrule

System. Security. accesscontrol. objectaccessrule

System. Security. accesscontrol. registryaccessrule

System. Security. accesscontrol. semaphoreaccessrule

 

Auditrule has the following Derived classes:

System. Security. accesscontrol. cryptokeyauditrule

System. Security. accesscontrol. eventwaithandleauditrule

System. Security. accesscontrol. filesystemauditrule

System. Security. accesscontrol. mutexauditrule

System. Security. accesscontrol. objectauditrule

System. Security. accesscontrol. registryauditrule

System. Security. accesscontrol. semaphoreauditrule

 

Take the commonly used filesystemaccessrule and filesystemauditrule for example, their permission types are all filesystemrights enumeration.

 

 

Returned directory

Objectsecurity: SD (DACL, SACL)

After studying the ace, let's look at the place where the Ace is stored. SD (Security Descriptor: Security description), which is attached to a securable object. Contains DACL and SACL (and other information, such as the SID of the creator of the securable object ).. The access control class library in. Net well encapsulates the execution of the underlying API. Using a class can represent the Security description (SD) and operate DACL and SACL in it.

 

The base class of SD is: system. Security. accesscontrol. objectsecurity class.

The SD Class View is larger than the ace. For details, refer to (derived class of objectsecurity)

 

Objectsecurity class:

// SD base class, used to operate DACL and SACL

Abstract class objectsecurity

// Method

Bool modifyaccessrule (accesscontrolmodification,

Accessrule,

Out bool ismodified );

// Modify the DACL

 

Bool modifyaudit (accesscontrolmodification,

Auditrule,

Out bool ismodified );

// Modify SACL

 

// The returned value is the same as that of the ismodified parameter, indicating whether the modification is successful.

 

 

// Attribute (attribute name: type name)

Accessruletype: type;

// Access control rule type, such as filesystemaccessrule

Auditruletype: type;

// Audit rule type, such as filesystemauditrule

Accessrighttype: type;

// Access permission type, such as filesystemrights Enumeration

 

Accessruletype, auditruletype, and accessrighttype are all attributes that will be rewritten by the derived object class. For example, filesystemsecurity will rewrite these three attributes to the access control type, review type, and specific permission Enumeration type of filesystem.

 

The core of objectsecurity is the modifyaccessrule and modifyauditrule above. Obviously, one of the two methods is for accessrule and the other is for auditrule. The operation type is

Accesscontrolmodification enumeration. For more information, see msdn: http://msdn.microsoft.com/zh-cn/library/system.security.accesscontrol.accesscontrolmodification.aspx. I will not repeat msdn.

 

Returned directory

Commonobjectsecurity and nativeobjectsecurity

Commonobjectsecurity inherits objectsecurity, which does not add any substantive content. Many Methods call the modifyaccessrule or modifyauditrule of the base class objectsecurity, and define different simplified methods based on the accesscontrolmodification enumeration. For example, addaccessrule and addauditrule are used to add access control rules or review rules. And setxxx, removexxx ...... And so on.

 

Nativeobjectsecurity inherits commonobjectsecurity and adds the Windows Local SD Model Based on commonobjectsecurity.

For example, resourcetype enumeration can identify the type of the object paid by SD. (For example, common file objects, registry key values, Windows Services, printers, etc)

 

 

Returned directory

Local entity SD

Like ace, the ACL type of the local SD is also inherited from the abstract SD base class. And it is almost suitable for the one-to-one matching of local ace entities. There is a special case. In ace, only filesystemaccessrule or auditrule are objects in the file system. However, although the ACL type of SD also has filesystemsecurity, it is an abstract class. Its Derived classes: directorysecurity and filesecurity are the final objects that can be used. The reason is that apart from the names of the file names and folders. The isiner iner attribute of objectsecurity is true in directorysecurity and false in filesecurity.

 

Nativeobjectsecurity is the base class of SD for all other local entities. Its Derived classes include:

System. Security. accesscontrol. cryptokeysecurity

System. Security. accesscontrol. eventwaithandlesecurity

System. Security. accesscontrol. filesystemsecurity

System. Security. accesscontrol. mutexsecurity

System. Security. accesscontrol. objectsecurity (of T)

System. Security. accesscontrol. registrysecurity

System. Security. accesscontrol. semaphoresecurity

(Filesystemsecurity also derives the filesecurity and directorysecurity classes)