3.2.1.1 Access Control Abstract Data Model

  • Article

Access Rights: The access rights defined by this protocol are specified by the bit settings in the following table.

Name

Value

Informative Summary

WKSTA_NETAPI_CHANGE_CONFIG

0x1

Granted to security principals that are allowed to make changes to the state of the server (2) during message processing. For example, members of the Administrators group are granted this access right.

WKSTA_NETAPI_QUERY

0x2

Granted to security principals that are allowed to query the state of the server during message processing. For example, authenticated (2) users are granted this access right.

NetSecurityDescriptor: A security descriptor that is used for the verification of access security during message processing. If present, this security descriptor MUST NOT be changed. Its value can be expressed as follows in Security Descriptor Definition Language (SDDL).<11>

 O:NSG:NSD:(A;;%x3;;;SY)(A;;%x3;;;BA)(A;;%x2;;;AU)

The rights field in each NetSecurityDescriptor access control entry (ACE) string uses the values defined in Access Rights. The value of the NetSecurityDescriptor expresses the following information: this object is owned by the network service; this object has the network service as its primary group; local system and built-in administrator accounts are granted query and change rights to this object; authenticated (2) users are granted query rights to this object.

Method Access Control Algorithm: During message processing, the server implementing this protocol MUST perform access security verification on the caller's identity using the following steps:

  1. The server impersonates the client by invoking the StartImpersonatingClient task (section 3.2.4.29.6). If this operation fails, the access check algorithm fails and the server returns an error.

  2. The server retrieves the client's impersonation token ([MS-RPCE] section 3.3.3.4.3.1). If this operation fails, the access check algorithm fails. The server continues executing at step 4 and returns an error.

  3. The server invokes the Access Check Algorithm Pseudocode algorithm ([MS-DTYP] section 2.5.3.2). For this protocol, the input parameters of that algorithm are mapped as follows:

    • SecurityDescriptor: This is the NetSecurityDescriptor specified previously in this section. If the security descriptor does not exist, the client is automatically granted access.

    • Token: This is the token of the client, as retrieved in step 2.

    • Access Request mask: This is specified by each method's message processing logic and MUST be one or more of the Access Rights specified previously in this section.

    • Object Tree: This parameter MUST be NULL.

    • PrincipalSelfSubst SID: This parameter MUST be NULL.

  4. The server stops impersonating the client by invoking the StopImpersonatingClient task (section 3.2.4.29.7).

  5. The server returns the results of the algorithm (from either step 2 or 3).