[SYSSETUP][INF] Add password setup to the security profile

2024-12-28 10:04:49 +00:00 · 2021-01-24 15:28:23 +01:00 · 2021-01-24 15:28:23 +01:00 · 83f3bd8bd6
commit 83f3bd8bd6
parent f63401060d
3 changed files with 227 additions and 1 deletions
--- a/dll/win32/syssetup/security.c
+++ b/dll/win32/syssetup/security.c
@ -18,6 +18,8 @@
 #define NDEBUG
 #include <debug.h>

+#define TICKS_PER_DAY -864000000000LL
+
 /* FUNCTIONS ****************************************************************/

 NTSTATUS
@ -756,6 +758,210 @@ ApplyEventlogSettings(
 }


+static
+VOID
+ApplyPasswordSettings(
+    _In_ HINF hSecurityInf,
+    _In_ PWSTR pszSectionName)
+{
+    INFCONTEXT InfContext;
+    DOMAIN_PASSWORD_INFORMATION PasswordInfo;
+    PPOLICY_ACCOUNT_DOMAIN_INFO OrigInfo = NULL;
+    LSA_OBJECT_ATTRIBUTES ObjectAttributes;
+    LSA_HANDLE PolicyHandle = NULL;
+    SAM_HANDLE ServerHandle = NULL;
+    SAM_HANDLE DomainHandle = NULL;
+    INT nValue;
+    NTSTATUS Status;
+
+    DPRINT("ApplyPasswordSettings()\n");
+
+    memset(&ObjectAttributes, 0, sizeof(LSA_OBJECT_ATTRIBUTES));
+    ObjectAttributes.Length = sizeof(LSA_OBJECT_ATTRIBUTES);
+
+    Status = LsaOpenPolicy(NULL,
+                           &ObjectAttributes,
+                           POLICY_VIEW_LOCAL_INFORMATION | POLICY_TRUST_ADMIN,
+                           &PolicyHandle);
+    if (Status != STATUS_SUCCESS)
+    {
+        DPRINT1("LsaOpenPolicy() failed (Status: 0x%08lx)\n", Status);
+        return;
+    }
+
+    Status = LsaQueryInformationPolicy(PolicyHandle,
+                                       PolicyAccountDomainInformation,
+                                       (PVOID *)&OrigInfo);
+    if (!NT_SUCCESS(Status))
+    {
+        DPRINT1("LsaQueryInformationPolicy() failed (Status: 0x%08lx)\n", Status);
+        goto done;
+    }
+
+    Status = SamConnect(NULL,
+                        &ServerHandle,
+                        SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN,
+                        NULL);
+    if (!NT_SUCCESS(Status))
+    {
+        DPRINT1("SamConnect() failed (Status: 0x%08lx)\n", Status);
+        goto done;
+    }
+
+    Status = SamOpenDomain(ServerHandle,
+                           DOMAIN_READ_PASSWORD_PARAMETERS | DOMAIN_WRITE_PASSWORD_PARAMS,
+                           OrigInfo->DomainSid,
+                           &DomainHandle);
+    if (!NT_SUCCESS(Status))
+    {
+        DPRINT1("SamOpenDomain() failed (Status: 0x%08lx)\n", Status);
+        goto done;
+    }
+
+    Status = SamQueryInformationDomain(DomainHandle,
+                                       DomainPasswordInformation,
+                                       (PVOID*)&PasswordInfo);
+    if (!NT_SUCCESS(Status))
+    {
+        DPRINT1("SamQueryInformationDomain() failed (Status %08lx)\n", Status);
+        goto done;
+    }
+
+    DPRINT("MaximumPasswordAge (OldValue) : 0x%I64x\n", PasswordInfo.MaxPasswordAge.QuadPart);
+    if (SetupFindFirstLineW(hSecurityInf,
+                            pszSectionName,
+                            L"MaximumPasswordAge",
+                            &InfContext))
+    {
+        if (SetupGetIntField(&InfContext, 1, &nValue))
+        {
+            DPRINT("Value: %ld\n", nValue);
+            if (nValue == -1)
+            {
+                PasswordInfo.MaxPasswordAge.QuadPart = 0x8000000000000000;
+            }
+            else if ((nValue >= 1) && (nValue < 1000))
+            {
+                PasswordInfo.MaxPasswordAge.QuadPart = (LONGLONG)nValue * TICKS_PER_DAY;
+            }
+            DPRINT("MaximumPasswordAge (NewValue) : 0x%I64x\n", PasswordInfo.MaxPasswordAge.QuadPart);
+        }
+    }
+
+    DPRINT("MinimumPasswordAge (OldValue) : 0x%I64x\n", PasswordInfo.MinPasswordAge.QuadPart);
+    if (SetupFindFirstLineW(hSecurityInf,
+                            pszSectionName,
+                            L"MinimumPasswordAge",
+                            &InfContext))
+    {
+        if (SetupGetIntField(&InfContext, 1, &nValue))
+        {
+            DPRINT("Wert: %ld\n", nValue);
+            if ((nValue >= 0) && (nValue < 1000))
+            {
+                if (PasswordInfo.MaxPasswordAge.QuadPart < (LONGLONG)nValue * TICKS_PER_DAY)
+                    PasswordInfo.MinPasswordAge.QuadPart = (LONGLONG)nValue * TICKS_PER_DAY;
+            }
+            DPRINT("MinimumPasswordAge (NewValue) : 0x%I64x\n", PasswordInfo.MinPasswordAge.QuadPart);
+        }
+    }
+
+    DPRINT("MinimumPasswordLength (OldValue) : %lu\n", PasswordInfo.MinPasswordLength);
+    if (SetupFindFirstLineW(hSecurityInf,
+                            pszSectionName,
+                            L"MinimumPasswordLength",
+                            &InfContext))
+    {
+        if (SetupGetIntField(&InfContext, 1, &nValue))
+        {
+            DPRINT("Value: %ld\n", nValue);
+            if ((nValue >= 0) && (nValue <= 65535))
+            {
+                PasswordInfo.MinPasswordLength = nValue;
+            }
+            DPRINT("MinimumPasswordLength (NewValue) : %lu\n", PasswordInfo.MinPasswordLength);
+        }
+    }
+
+    DPRINT("PasswordHistoryLength (OldValue) : %lu\n", PasswordInfo.PasswordHistoryLength);
+    if (SetupFindFirstLineW(hSecurityInf,
+                            pszSectionName,
+                            L"PasswordHistorySize",
+                            &InfContext))
+    {
+        if (SetupGetIntField(&InfContext, 1, &nValue))
+        {
+            DPRINT("Value: %ld\n", nValue);
+            if ((nValue >= 0) && (nValue <= 65535))
+            {
+                PasswordInfo.PasswordHistoryLength = nValue;
+            }
+            DPRINT("PasswordHistoryLength (NewValue) : %lu\n", PasswordInfo.PasswordHistoryLength);
+        }
+    }
+
+    if (SetupFindFirstLineW(hSecurityInf,
+                            pszSectionName,
+                            L"PasswordComplexity",
+                            &InfContext))
+    {
+        if (SetupGetIntField(&InfContext, 1, &nValue))
+        {
+            if (nValue == 0)
+            {
+                PasswordInfo.PasswordProperties &= ~DOMAIN_PASSWORD_COMPLEX;
+            }
+            else
+            {
+                PasswordInfo.PasswordProperties |= DOMAIN_PASSWORD_COMPLEX;
+            }
+        }
+    }
+
+    if (SetupFindFirstLineW(hSecurityInf,
+                            pszSectionName,
+                            L"ClearTextPassword",
+                            &InfContext))
+    {
+        if (SetupGetIntField(&InfContext, 1, &nValue))
+        {
+            if (nValue == 0)
+            {
+                PasswordInfo.PasswordProperties &= ~DOMAIN_PASSWORD_STORE_CLEARTEXT;
+            }
+            else
+            {
+                PasswordInfo.PasswordProperties |= DOMAIN_PASSWORD_STORE_CLEARTEXT;
+            }
+        }
+    }
+
+    /* Windows ignores the RequireLogonToChangePassword option */
+
+    Status = SamSetInformationDomain(DomainHandle,
+                                     DomainPasswordInformation,
+                                     (PVOID*)&PasswordInfo);
+    if (!NT_SUCCESS(Status))
+    {
+        DPRINT1("SamSetInformationDomain() failed (Status %08lx)\n", Status);
+        goto done;
+    }
+
+done:
+    if (DomainHandle != NULL)
+        SamCloseHandle(DomainHandle);
+
+    if (ServerHandle != NULL)
+        SamCloseHandle(ServerHandle);
+
+    if (OrigInfo != NULL)
+        LsaFreeMemory(OrigInfo);
+
+    if (PolicyHandle != NULL)
+        LsaClose(PolicyHandle);
+}
+
+
 static
 VOID
 ApplyAuditEvents(
@ -922,6 +1128,8 @@ InstallSecurity(VOID)
        ApplyEventlogSettings(hSecurityInf, L"Security Log", L"Security");
        ApplyEventlogSettings(hSecurityInf, L"System Log", L"System");

+        ApplyPasswordSettings(hSecurityInf, L"System Access");
+
        ApplyAuditEvents(hSecurityInf);

        SetupCloseInfFile(hSecurityInf);
--- a/media/inf/defltsv.inf
+++ b/media/inf/defltsv.inf
@ -4,6 +4,15 @@
 [Version]
 Signature = "$Windows NT$"

+[System Access]
+MinimumPasswordAge = 0
+MaximumPasswordAge = 42
+MinimumPasswordLength = 0
+PasswordComplexity = 0
+PasswordHistorySize = 0
+RequireLogonToChangePassword = 0
+ClearTextPassword = 0
+
 [Application Log]
 MaximumLogSize = 16384
 AuditLogRetentionPeriod = 0
--- a/media/inf/defltwk.inf
+++ b/media/inf/defltwk.inf
@ -4,6 +4,15 @@
 [Version]
 Signature = "$Windows NT$"

+[System Access]
+MinimumPasswordAge = 0
+MaximumPasswordAge = 42
+MinimumPasswordLength = 0
+PasswordComplexity = 0
+PasswordHistorySize = 0
+RequireLogonToChangePassword = 0
+ClearTextPassword = 0
+
 [Application Log]
 MaximumLogSize = 512
 AuditLogRetentionPeriod = 1
@ -38,8 +47,8 @@ SeAuditPrivilege = *S-1-5-19, *S-1-5-20
 SeBackupPrivilege = *S-1-5-32-544, *S-1-5-32-551
 SeBatchLogonRight = 
 SeChangeNotifyPrivilege = *S-1-1-0, *S-1-5-32-544, *S-1-5-32-545, *S-1-5-32-551
-SeCreatePagefilePrivilege = *S-1-5-32-544
 SeCreateGlobalPrivilege = *S-1-5-4, *S-1-5-6, *S-1-5-32-544
+SeCreatePagefilePrivilege = *S-1-5-32-544
 SeCreatePermanentPrivilege =
 SeCreateTokenPrivilege =
 SeDebugPrivilege = *S-1-5-32-544