[SYSSETUP][INF] Add lockout setup to the security profile

This commit is contained in:
Eric Kohl 2021-01-24 21:35:33 +01:00
parent 83f3bd8bd6
commit c0caa5c0ae
3 changed files with 153 additions and 0 deletions

View file

@ -19,6 +19,7 @@
#include <debug.h>
#define TICKS_PER_DAY -864000000000LL
#define TICKS_PER_SECOND -600000000LL
/* FUNCTIONS ****************************************************************/
@ -962,6 +963,145 @@ done:
}
static
VOID
ApplyLockoutSettings(
_In_ HINF hSecurityInf,
_In_ PWSTR pszSectionName)
{
INFCONTEXT InfContext;
DOMAIN_LOCKOUT_INFORMATION LockoutInfo;
PPOLICY_ACCOUNT_DOMAIN_INFO OrigInfo = NULL;
LSA_OBJECT_ATTRIBUTES ObjectAttributes;
LSA_HANDLE PolicyHandle = NULL;
SAM_HANDLE ServerHandle = NULL;
SAM_HANDLE DomainHandle = NULL;
INT nValue;
NTSTATUS Status;
DPRINT("ApplyLockoutSettings()\n");
memset(&ObjectAttributes, 0, sizeof(LSA_OBJECT_ATTRIBUTES));
ObjectAttributes.Length = sizeof(LSA_OBJECT_ATTRIBUTES);
Status = LsaOpenPolicy(NULL,
&ObjectAttributes,
POLICY_VIEW_LOCAL_INFORMATION | POLICY_TRUST_ADMIN,
&PolicyHandle);
if (Status != STATUS_SUCCESS)
{
DPRINT1("LsaOpenPolicy() failed (Status: 0x%08lx)\n", Status);
return;
}
Status = LsaQueryInformationPolicy(PolicyHandle,
PolicyAccountDomainInformation,
(PVOID *)&OrigInfo);
if (!NT_SUCCESS(Status))
{
DPRINT1("LsaQueryInformationPolicy() failed (Status: 0x%08lx)\n", Status);
goto done;
}
Status = SamConnect(NULL,
&ServerHandle,
SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN,
NULL);
if (!NT_SUCCESS(Status))
{
DPRINT1("SamConnect() failed (Status: 0x%08lx)\n", Status);
goto done;
}
Status = SamOpenDomain(ServerHandle,
DOMAIN_READ_PASSWORD_PARAMETERS | DOMAIN_WRITE_PASSWORD_PARAMS,
OrigInfo->DomainSid,
&DomainHandle);
if (!NT_SUCCESS(Status))
{
DPRINT1("SamOpenDomain() failed (Status: 0x%08lx)\n", Status);
goto done;
}
Status = SamQueryInformationDomain(DomainHandle,
DomainLockoutInformation,
(PVOID*)&LockoutInfo);
if (!NT_SUCCESS(Status))
{
DPRINT1("SamQueryInformationDomain() failed (Status %08lx)\n", Status);
goto done;
}
if (SetupFindFirstLineW(hSecurityInf,
pszSectionName,
L"LockoutBadCount",
&InfContext))
{
if (SetupGetIntField(&InfContext, 1, &nValue))
{
if (nValue >= 0)
{
LockoutInfo.LockoutThreshold = nValue;
}
}
}
if (SetupFindFirstLineW(hSecurityInf,
pszSectionName,
L"ResetLockoutCount",
&InfContext))
{
if (SetupGetIntField(&InfContext, 1, &nValue))
{
if (nValue >= 0)
{
LockoutInfo.LockoutObservationWindow.QuadPart = (LONGLONG)nValue * TICKS_PER_SECOND;
}
}
}
if (SetupFindFirstLineW(hSecurityInf,
pszSectionName,
L"LockoutDuration",
&InfContext))
{
if (SetupGetIntField(&InfContext, 1, &nValue))
{
if (nValue == -1)
{
LockoutInfo.LockoutDuration.QuadPart = 0x8000000000000000LL;
}
else if ((nValue >= 0) && (nValue < 100000))
{
LockoutInfo.LockoutDuration.QuadPart = (LONGLONG)nValue * TICKS_PER_SECOND;
}
}
}
Status = SamSetInformationDomain(DomainHandle,
DomainLockoutInformation,
(PVOID*)&LockoutInfo);
if (!NT_SUCCESS(Status))
{
DPRINT1("SamSetInformationDomain() failed (Status %08lx)\n", Status);
goto done;
}
done:
if (DomainHandle != NULL)
SamCloseHandle(DomainHandle);
if (ServerHandle != NULL)
SamCloseHandle(ServerHandle);
if (OrigInfo != NULL)
LsaFreeMemory(OrigInfo);
if (PolicyHandle != NULL)
LsaClose(PolicyHandle);
}
static
VOID
ApplyAuditEvents(
@ -1129,6 +1269,7 @@ InstallSecurity(VOID)
ApplyEventlogSettings(hSecurityInf, L"System Log", L"System");
ApplyPasswordSettings(hSecurityInf, L"System Access");
ApplyLockoutSettings(hSecurityInf, L"System Access");
ApplyAuditEvents(hSecurityInf);

View file

@ -5,6 +5,7 @@
Signature = "$Windows NT$"
[System Access]
; Password Options
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
@ -13,6 +14,11 @@ PasswordHistorySize = 0
RequireLogonToChangePassword = 0
ClearTextPassword = 0
; Lockout Options
LockoutBadCount = 0
;ResetLockoutCount = 30
;LockoutDuration = 30
[Application Log]
MaximumLogSize = 16384
AuditLogRetentionPeriod = 0

View file

@ -5,6 +5,7 @@
Signature = "$Windows NT$"
[System Access]
; Password Options
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
@ -13,6 +14,11 @@ PasswordHistorySize = 0
RequireLogonToChangePassword = 0
ClearTextPassword = 0
; Lockout Options
LockoutBadCount = 0
;ResetLockoutCount = 30
;LockoutDuration = 30
[Application Log]
MaximumLogSize = 512
AuditLogRetentionPeriod = 1