Access Control

In Windows Filtering Platform (WFP), the Base Filtering Engine (BFE) service implements the standard Windows access control model based on access tokens and security descriptors.

Access Control Model

Security descriptors can be specified when adding new WFP objects, such as filters and sub-layers. Security descriptors are managed using the WFP management functions Fwpm*GetSecurityInfo0 and Fwpm*SetSecurityInfo0, where * stands for the WFP object's name. These functions are semantically identical to the Windows GetSecurityInfo and SetSecurityInfo functions.

Note  The Fwpm*SetSecurityInfo0 functions cannot be called from within an explicit transaction.

Note  The Fwpm*SetSecurityInfo0 functions can only be called from within a dynamic session if they are being used to manage a dynamic object created within the same session.

The default security descriptor for the filter engine (the root Engine object in the diagram below) is as follows.

  • Grant GENERIC_ALL (GA) access rights to the built-in Administrators group.
  • Grant GENERIC_READ (GR) GENERIC_WRITE (GW) GENERIC_EXECUTE (GX) access rights to network configuration operators.
  • Grant GRGWGX access rights to the following service security identifiers (SSIDs): MpsSvc (Windows Firewall), NapAgent (Network Access Protection Agent), PolicyAgent (IPsec Policy Agent), RpcSs (Remote Procedure Call), and WdiServiceHost (Diagnostic Service Host).
  • Grant FWPM_ACTRL_OPEN and FWPM_ACTRL_CLASSIFY to everyone. (These are WFP-specific access rights, described in table below.)

The remaining default security descriptors are derived through inheritance.

There are some access checks, such as for Fwpm*Add0, Fwpm*CreateEnumHandle0, Fwpm*SubscribeChanges0 function calls, that cannot be done at the individual object level. For these functions, there are container objects for each object type. For the standard object types (for example, providers, callouts, filters), the existing Fwpm*GetSecurityInfo0 and Fwpm*SetSecurityInfo0 functions are overloaded, such that a null GUID parameter identifies the associated container. For the other object types (for example, network events and IPsec security associations), there are explicit functions for managing the container's security information.

BFE supports automatic inheritance of Discretionary Access Control List (DACL) access control entries (ACEs). BFE does not support System Access Control List (SACL) ACEs. Objects inherit ACEs from their container. Containers inherit ACEs from the filter engine. The propagation paths are shown in the diagram below.

Bb442405.access_control(en-us,VS.85).jpg

For the standard object types, BFE enforces all the generic and standard access rights. In addition, WFP defines the following specific access rights.

WFP Access RightDescription

FWPM_ACTRL_ADD

Required to add an object to a container.

FWPM_ACTRL_ADD_LINK

Required to create an association to an object. For example, to add a filter that references a callout, the caller must have ADD_LINK access to the callout.

FWPM_ACTRL_BEGIN_READ_TXN

Required to begin an explicit read transaction.

FWPM_ACTRL_BEGIN_WRITE_TXN

Required to begin an explicit write transaction.

FWPM_ACTRL_CLASSIFY

Required to classify against a user-mode layer.

FWPM_ACTRL_ENUM

Required to enumerate the objects in a container. However, the enumerator only returns objects to which the caller has FWPM_ACTRL_READ access.

FWPM_ACTRL_OPEN

Required to open a session with BFE.

FWPM_ACTRL_READ

Required to read an object's properties.

FWPM_ACTRL_READ_STATS

Required to read statistics.

FWPM_ACTRL_SUBSCRIBE

Required to subscribe for notifications. Subscribers will only receive notifications for objects to which they have FWPM_ACTRL_READ access.

FWPM_ACTRL_WRITE

Required to set engine options.

 

BFE skips all access checks for kernel-mode callers.

In order to prevent administrators from locking themselves out of BFE, members of the built-in administrators group are always granted FWPM_ACTRL_OPEN to the engine object. Thus, an administrator can regain access through the following steps.

  • Enable the SE_TAKE_OWNERSHIP_NAME privilege.
  • Call FwpmEngineOpen0. The call succeeds because the caller is a member of Built-in Administrators.
  • Take ownership of the engine object. This succeeds because the caller has the SE_TAKE_OWNERSHIP_NAME privilege.
  • Update the DACL. This succeeds because the owner always has WRITE_DAC access

Since BFE supports its own custom auditing, it does not generate generic object access audits. Thus, the SACL is ignored.

WFP Required Access Rights

The table below shows the access rights required by the WFP functions in order to access various filtering platform objects. The FwpmFilter* functions are listed as an example for accessing the standard objects. All the other functions that access standard objects follow the FwpmFilter* functions access model.

FunctionObject CheckedAccess Required
FwpmEngineOpen0 EngineFWPM_ACTRL_OPEN
FwpmEngineGetOption0 EngineFWPM_ACTRL_READ
FwpmEngineSetOption0 EngineFWPM_ACTRL_WRITE
FwpmSessionCreateEnumHandle0 EngineFWPM_ACTRL_ENUM
FwpmTransactionBegin0 EngineFWPM_ACTRL_BEGIN_READ_TXN & FWPM_ACTRL_BEGIN_WRITE_TXN
FwpmFilterAdd0 Container

Provider

Layer

Sub-Layer

Callout

Provider Context

FWPM_ACTRL_ADD

FWPM_ACTRL_ADD_LINK

FWPM_ACTRL_ADD_LINK

FWPM_ACTRL_ADD_LINK

FWPM_ACTRL_ADD_LINK

FWPM_ACTRL_ADD_LINK

FwpmFilterDeleteById0

FwpmFilterDeleteByKey0

FilterDELETE
FwpmFilterGetById0

FwpmFilterGetByKey0

FilterFWPM_ACTRL_READ
FwpmFilterCreateEnumHandle0 Container

Filter

FWPM_ACTRL_ENUM

FWPM_ACTRL_READ

FwpmFilterSubscribeChanges0 ContainerFWPM_ACTRL_SUBSCRIBE
FwpmFilterSubscriptionsGet0 ContainerFWPM_ACTRL_READ
IPsecGetStatistics0 IPsec SA DBFWPM_ACTRL_READ_STATS
IPsecSaContextCreate0

IPsecSaContextGetSpi0

IPsecSaContextAddInbound0

IPsecSaContextAddOutbound0

IPsec SA DBFWPM_ACTRL_ADD
IPsecSaContextDeleteById0

IPsecSaContextExpire0

IPsec SA DBDELETE
IPsecSaContextGetById0 IPsec SA DBFWPM_ACTRL_READ
IPsecSaContextCreateEnumHandle0

IPsecSaCreateEnumHandle0

IPsec SA DBFWPM_ACTRL_ENUM & FWPM_ACTRL_READ
IkeextGetStatistics0 IKE SA DBFWPM_ACTRL_READ_STATS
IkeextSaDeleteById0 IKE SA DBDELETE
IkeextSaGetById0 IKE SA DBFWPM_ACTRL_READ
IkeextSaCreateEnumHandle0 IKE SA DBFWPM_ACTRL_ENUM & FWPM_ACTRL_READ
FwpmNetEventCreateEnumHandle0 ContainerFWPM_ACTRL_ENUM
FwpmIPsecTunnelAdd0

FwpmIPsecTunnelDeleteByKey0

No additional access checks beyond those for the individual filters and provider contexts

 

Related topics

Standard Access Rights
Windows Access Control Model
Windows Filtering Platform Access Rights Identifiers

 

 

Community Additions

ADD
Show:
© 2014 Microsoft