Export (0) Print
Expand All

7 Appendix B: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs:

  • Windows Server 2008 operating system

  • Windows Server 2008 R2 operating system

  • Windows Server 2012 operating system

  • Windows Server 2012 R2 operating system

Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms SHOULD or SHOULD NOT implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term MAY implies that the product does not follow the prescription.

<1> Section 3.2.1.2: The name of the machine used in the Microsoft implementation is the fully qualified domain name (FQDN) (1) of the machine.

<2> Section 3.2.1.2: The names of the machines used in the Microsoft implementation are the FQDNs (1) of the machines.

<3> Section 3.2.1.3: A Microsoft Online Responder defines two permissions: Read and Administer. For responder security methods GetSecurity, SetSecurity, and GetMyRoles, the Microsoft Online Responder assigns permissions to principals (identified by the ACE) in the following manner.

Permission

Bit value

Meaning

Read

0x00000100

The caller can read the configuration information and properties of the responder.

Administer

0x00000001

The caller can update the configuration information and properties of the responder.

If a principal has Administer permission, Read permission is implied (does not need to be explicitly set).

The responder may enforce Online Responder security for each of the following methods by checking for the permissions identified in the following table.

Method name

Acceptable permissions

GetOCSPProperty

Read

SetOCSPProperty

Administrator

GetCAConfigInformation

Read

SetCAConfigInformation

Administrator

GetSecurity

Read

SetSecurity

Administrator

The security descriptor on the responder controls which security principal can manage or read configuration information or request certificate status from the responder. Whenever a Read method on the responder is invoked, the responder checks this security descriptor to ensure that the calling entity has read access; if the entity doesn't have read access, the responder returns 0x80070005 as the error code. Whenever any Write method is invoked, the responder checks this security descriptor to ensure that the calling entity has manage access on the responder; if it does not, 0x80070005 is returned by the responder.

These methods require read access:

These methods require manage access:

The following method can be invoked by any caller:

<4> Section 3.2.1.3: A Microsoft Online Responder defines two permissions: Read and Administer. For responder security methods GetSecurity, SetSecurity, and GetMyRoles, the Microsoft Online Responder assigns permissions to principals (identified by the ACE) in the following manner.

Permission

Bit value

Meaning

Read

0x00000100

The caller can read the configuration information and properties of the responder.

Administer

0x00000001

The caller can update the configuration information and properties of the responder.

If a principal has Administer permission, Read permission is implied (does not need to be explicitly set).

The responder may enforce Online Responder security for each of the following methods by checking for the permissions identified in the following table.

Method name

Acceptable permissions

GetOCSPProperty

Read

SetOCSPProperty

Administrator

GetCAConfigInformation

Read

SetCAConfigInformation

Administrator

GetSecurity

Read

SetSecurity

Administrator

The security descriptor on the responder controls which security principal can manage or read configuration information or request certificate status from the responder. Whenever a read method on the responder is invoked, the responder checks this security descriptor to ensure that the calling entity has read access; if the entity does not have read access, the responder returns 0x80070005 as the error code. Whenever any write method is invoked, the responder checks this security descriptor to ensure that the calling entity has manage access on the responder; if it does not, 0x80070005 is returned by the responder.

These methods require read access:

These methods require manage access:

The following method can be invoked by any caller:

<5> Section 3.2.4.1.1: For the Microsoft responder, this property has values between 5 and 9999.

<6> Section 3.2.4.1.1: The Microsoft responder uses integer values between 0 and 6.

Value Meaning

CERTLOG_MINIMAL
0x00000000

Log events for errors and warnings that occur on the responder.

CERTLOG_TERSE
0x00000001 — 0x00000003

Log errors, warnings, and informational events.

CERTLOG_VERBOSE
0x00000004

Log extended events.

CERTLOG_EXHAUSTIVE
0x00000005 — 0x00000006

Throttling is removed for events that can be generated quickly, such as MSG_E_POSSIBLE_DENIAL_OF_SERVICE_ATTACK.

<7> Section 3.2.4.1.1: The Microsoft responder uses a value of 0xffffffe3 to indicate that debug tracing is enabled and 0 to indicate that it is not.

<8> Section 3.2.4.1.1: The Microsoft responder uses values between 1 and 24.

<9> Section 3.2.4.1.1: The Microsoft responder uses a default value of 20.

<10> Section 3.2.4.1.1: The Microsoft responder uses a value of 0xffffffe3 to indicate that debug tracing is enabled and 0 to indicate that it is not.

<11> Section 3.2.4.1.1: Windows does not return any vendor defined properties.

<12> Section 3.2.4.1.2: The type MUST match the value specified in section 3.2.4.1.1 if the server is a Windows responder. Otherwise, the responder might not function correctly.

<13> Section 3.2.4.1.3: The Microsoft responder uses the hash algorithms supported by the cryptographic provider specified in the CSPName property.

<14> Section 3.2.4.1.3: The Microsoft Online responder returns a value of {4956d17f-88fd-4198-b287-1e6e65883b19} for this property.

<15> Section 3.2.4.1.5: By default the Responder SD is as follows:

Owner: SID for Builtin\Administrators (S-1-5-32-544)

Group: SID for Builtin\Administrators (S-1-5-32-544)

2 ACE’s with ACE_TYPE ACCESS_ALLOWED_ACE_TYPE (0x00):

Allow Builtin Admins to read and manage the responder.

Allow Network Service account to proxy requests.

2 ACE’s with ACE_TYPE SYSTEM_AUDIT_ACE_TYPE (0x02):

Audit Success and Failure for everyone when they try to access for the 0xffff (any) access rights.

Audit Success and Failure for anonymous users when they try to access for the 0xffff access rights.

Within the ACCESS_MASK, the bit values have the following meanings:

Permission

Bit Value

Meaning

Read

0x00000100

Read the configuration information and properties of the responder.

Administer

0x00000001

Update the configuration information and properties of the responder.

Proxy requests

0x00000300

Proxy requests (if the responder is split into a front end and back end service).

<16> Section 3.2.4.1.8: The Microsoft Online Responder returns the hash algorithms supported by the "Microsoft Strong Cryptographic Provider" CSP in the default list of hash algorithms.

<17> Section 6: The Microsoft implementation of the OCSP admin interface has a CLSID whose value is { 0x6d5ad135, 0x1730, 0x4f19, { 0xa4, 0xeb, 0x3f, 0x78, 0xe7, 0xc9, 0x76, 0xbb}}.

 
Show:
© 2015 Microsoft