question

YuryStrozhevsky avatar image
0 Votes"
YuryStrozhevsky asked YuryStrozhevsky commented

ACCESS_ALLOWED_CALLBACK_OBJECT_ACE and ACCESS_DENIED_CALLBACK_OBJECT_ACE: why these ACEs does not count during access control processing?

During my own internal testing I found that any ACEs with types ACCESS_ALLOWED_CALLBACK_OBJECT_ACE and ACCESS_DENIED_CALLBACK_OBJECT_ACE does not count during access control processing. I made different variations of the ACEs: with or without ObjectType GUID, with or without ApplicationData field, with ApplicationData having correct "conditional expression" (as described in [MS-DTYP] 2.4.4.17). In all cases such ACEs had no influence on access checking process. At the same time I was able correctly apply any ACCESS_ALLOWED_OBJECT_ACE and ACCESS_DENIED_OBJECT_ACE. Also I am able to build correct ACEs with types ACCESS_ALLOWED_CALLBACK_ACE and ACCESS_DENIED_CALLBACK_ACE.

So, seems like internally in a callback function like "AuthzAccessCheckCallback" for ACCESS_ALLOWED_CALLBACK_OBJECT_ACE and ACCESS_DENIED_CALLBACK_OBJECT_ACE I got "*pbAceApplicable = FALSE".

Additional details: I am making all the security descriptors using my own library on C++, access checking performed by "AccessCheckByTypeResultListAndAuditAlarmByHandle" function. All was tested on Windows 10 under a process having elevated administrator account (with all related privileges enabled). Plus I tested the same code on fresh installation of Windows Server 2019 having configured ActiveDirectory domain - same result, such ACE types does not count during access control checking.

windows-10-securitywindows-server-security
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I would suggest to address your question here: https://docs.microsoft.com/en-us/answers/topics/openspecs-windows.html. That forum dedicated to OpenSpecs and [MS-DTYP] specifically.

0 Votes 0 ·

Thank you very much, I will post it there tomorrow.

Best regards
Yury Strozhevsky

0 Votes 0 ·

Made this question with additional "OpenSpecs" tag.


0 Votes 0 ·
VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered

Hi,

Thank you for posting in our forum.

Are all your tests tested by C++ code?

Can you test the things you describe through the graphical user interface?

You can confirm these problems first, which is more convenient for troubleshooting later.

Best wishes
Vicky

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered YuryStrozhevsky commented

Hi,
How are things going? Could you please send me an update so that we can continue to work on this problem and resolve it? Thanks for your help.
Best wishes
Vicky

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello,

Sorry I missed your first request. No, I can’t check this via UI just because such ACEs don’t display in the UI.

Best regards
Yury Strozhevsky

0 Votes 0 ·
VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered YuryStrozhevsky commented

Hi,

Thank you for your waiting and reply. If you can't check through the UI only, you may need C++team to test it.

Hope this information can help you

Best wishes

Vicky


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for answering. How I can get a support from “c++ team”?

Best regards
Yury Strozhevsky

0 Votes 0 ·
VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered YuryStrozhevsky commented

Hi,

Thank you for your patience and reply.

For the C++ team, you can refer to the link below:

https://www.cplusplus.com/forum/

https://www.cplusplus.com/forum/beginner/

Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.

Hope this information can help you

Best wishes

Vicky

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

My question is about "why something is not working inside a common Windows API", not about C++ in general. So, in order to solve my question I need to have a person with a direct access to Windows source codes. If you have any such contact then please provide it.

Best regards,
Yury Strozhevsky

0 Votes 0 ·