From c0caa5c0aeed5f20b4af12f1fdcd46f1db6db0d2 Mon Sep 17 00:00:00 2001 From: Eric Kohl Date: Sun, 24 Jan 2021 21:35:33 +0100 Subject: [PATCH] [SYSSETUP][INF] Add lockout setup to the security profile --- dll/win32/syssetup/security.c | 141 ++++++++++++++++++++++++++++++++++ media/inf/defltsv.inf | 6 ++ media/inf/defltwk.inf | 6 ++ 3 files changed, 153 insertions(+) diff --git a/dll/win32/syssetup/security.c b/dll/win32/syssetup/security.c index d92c201831d..4a2f0b41e29 100644 --- a/dll/win32/syssetup/security.c +++ b/dll/win32/syssetup/security.c @@ -19,6 +19,7 @@ #include #define TICKS_PER_DAY -864000000000LL +#define TICKS_PER_SECOND -600000000LL /* FUNCTIONS ****************************************************************/ @@ -962,6 +963,145 @@ done: } +static +VOID +ApplyLockoutSettings( + _In_ HINF hSecurityInf, + _In_ PWSTR pszSectionName) +{ + INFCONTEXT InfContext; + DOMAIN_LOCKOUT_INFORMATION LockoutInfo; + PPOLICY_ACCOUNT_DOMAIN_INFO OrigInfo = NULL; + LSA_OBJECT_ATTRIBUTES ObjectAttributes; + LSA_HANDLE PolicyHandle = NULL; + SAM_HANDLE ServerHandle = NULL; + SAM_HANDLE DomainHandle = NULL; + INT nValue; + NTSTATUS Status; + + DPRINT("ApplyLockoutSettings()\n"); + + memset(&ObjectAttributes, 0, sizeof(LSA_OBJECT_ATTRIBUTES)); + ObjectAttributes.Length = sizeof(LSA_OBJECT_ATTRIBUTES); + + Status = LsaOpenPolicy(NULL, + &ObjectAttributes, + POLICY_VIEW_LOCAL_INFORMATION | POLICY_TRUST_ADMIN, + &PolicyHandle); + if (Status != STATUS_SUCCESS) + { + DPRINT1("LsaOpenPolicy() failed (Status: 0x%08lx)\n", Status); + return; + } + + Status = LsaQueryInformationPolicy(PolicyHandle, + PolicyAccountDomainInformation, + (PVOID *)&OrigInfo); + if (!NT_SUCCESS(Status)) + { + DPRINT1("LsaQueryInformationPolicy() failed (Status: 0x%08lx)\n", Status); + goto done; + } + + Status = SamConnect(NULL, + &ServerHandle, + SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN, + NULL); + if (!NT_SUCCESS(Status)) + { + DPRINT1("SamConnect() failed (Status: 0x%08lx)\n", Status); + goto done; + } + + Status = SamOpenDomain(ServerHandle, + DOMAIN_READ_PASSWORD_PARAMETERS | DOMAIN_WRITE_PASSWORD_PARAMS, + OrigInfo->DomainSid, + &DomainHandle); + if (!NT_SUCCESS(Status)) + { + DPRINT1("SamOpenDomain() failed (Status: 0x%08lx)\n", Status); + goto done; + } + + Status = SamQueryInformationDomain(DomainHandle, + DomainLockoutInformation, + (PVOID*)&LockoutInfo); + if (!NT_SUCCESS(Status)) + { + DPRINT1("SamQueryInformationDomain() failed (Status %08lx)\n", Status); + goto done; + } + + if (SetupFindFirstLineW(hSecurityInf, + pszSectionName, + L"LockoutBadCount", + &InfContext)) + { + if (SetupGetIntField(&InfContext, 1, &nValue)) + { + if (nValue >= 0) + { + LockoutInfo.LockoutThreshold = nValue; + } + } + } + + if (SetupFindFirstLineW(hSecurityInf, + pszSectionName, + L"ResetLockoutCount", + &InfContext)) + { + if (SetupGetIntField(&InfContext, 1, &nValue)) + { + if (nValue >= 0) + { + LockoutInfo.LockoutObservationWindow.QuadPart = (LONGLONG)nValue * TICKS_PER_SECOND; + } + } + } + + if (SetupFindFirstLineW(hSecurityInf, + pszSectionName, + L"LockoutDuration", + &InfContext)) + { + if (SetupGetIntField(&InfContext, 1, &nValue)) + { + if (nValue == -1) + { + LockoutInfo.LockoutDuration.QuadPart = 0x8000000000000000LL; + } + else if ((nValue >= 0) && (nValue < 100000)) + { + LockoutInfo.LockoutDuration.QuadPart = (LONGLONG)nValue * TICKS_PER_SECOND; + } + } + } + + Status = SamSetInformationDomain(DomainHandle, + DomainLockoutInformation, + (PVOID*)&LockoutInfo); + if (!NT_SUCCESS(Status)) + { + DPRINT1("SamSetInformationDomain() failed (Status %08lx)\n", Status); + goto done; + } + +done: + if (DomainHandle != NULL) + SamCloseHandle(DomainHandle); + + if (ServerHandle != NULL) + SamCloseHandle(ServerHandle); + + if (OrigInfo != NULL) + LsaFreeMemory(OrigInfo); + + if (PolicyHandle != NULL) + LsaClose(PolicyHandle); +} + + static VOID ApplyAuditEvents( @@ -1129,6 +1269,7 @@ InstallSecurity(VOID) ApplyEventlogSettings(hSecurityInf, L"System Log", L"System"); ApplyPasswordSettings(hSecurityInf, L"System Access"); + ApplyLockoutSettings(hSecurityInf, L"System Access"); ApplyAuditEvents(hSecurityInf); diff --git a/media/inf/defltsv.inf b/media/inf/defltsv.inf index ce3b7d78ba6..8aba23b7a60 100644 --- a/media/inf/defltsv.inf +++ b/media/inf/defltsv.inf @@ -5,6 +5,7 @@ Signature = "$Windows NT$" [System Access] +; Password Options MinimumPasswordAge = 0 MaximumPasswordAge = 42 MinimumPasswordLength = 0 @@ -13,6 +14,11 @@ PasswordHistorySize = 0 RequireLogonToChangePassword = 0 ClearTextPassword = 0 +; Lockout Options +LockoutBadCount = 0 +;ResetLockoutCount = 30 +;LockoutDuration = 30 + [Application Log] MaximumLogSize = 16384 AuditLogRetentionPeriod = 0 diff --git a/media/inf/defltwk.inf b/media/inf/defltwk.inf index 020b59c4d26..2996a6d94ed 100644 --- a/media/inf/defltwk.inf +++ b/media/inf/defltwk.inf @@ -5,6 +5,7 @@ Signature = "$Windows NT$" [System Access] +; Password Options MinimumPasswordAge = 0 MaximumPasswordAge = 42 MinimumPasswordLength = 0 @@ -13,6 +14,11 @@ PasswordHistorySize = 0 RequireLogonToChangePassword = 0 ClearTextPassword = 0 +; Lockout Options +LockoutBadCount = 0 +;ResetLockoutCount = 30 +;LockoutDuration = 30 + [Application Log] MaximumLogSize = 512 AuditLogRetentionPeriod = 1