forked from windows-internals-guide/security
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path02_interactive_logon_check.cpp
83 lines (65 loc) · 2.14 KB
/
02_interactive_logon_check.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#include <windows.h>
#include <stdio.h>
#include <ntsecapi.h>
BOOL IsInteractiveLogon();
BOOL CheckAccountRights(PSID pSid, LPCWSTR lpszAccountRights, LPCWSTR lpszDenyAccountRights);
// Administratorsグループに対話型ログオンが許可されているか確認
int main()
{
if (!SHTestTokenMembership(NULL, DOMAIN_ALIAS_RID_ADMINS)) {
printf("LsaOpenPolicyのため管理者として実行してください。");
return -1;
}
int nExitCode = -1;
if (IsInteractiveLogon()) {
printf("Administratorsグループは対話型ログオンが許可される");
nExitCode = 0;
}
else
printf("Administratorsグループは対話型ログオンが許可されない");
#ifdef _DEBUG
MessageBox(NULL, L"終了します。", L"OK", 0);
#endif
return nExitCode;
}
BOOL IsInteractiveLogon()
{
BOOL bResult;
DWORD dwSidSize = SECURITY_MAX_SID_SIZE;
PSID pSid = (PSID)LocalAlloc(LPTR, dwSidSize);
CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, pSid, &dwSidSize);
bResult = CheckAccountRights(pSid, SE_INTERACTIVE_LOGON_NAME, SE_DENY_INTERACTIVE_LOGON_NAME);
LocalFree(pSid);
return bResult;
}
BOOL CheckAccountRights(PSID pSid, LPCWSTR lpszAccountRights, LPCWSTR lpszDenyAccountRights)
{
ULONG i;
ULONG uCount;
NTSTATUS ns;
LSA_HANDLE hPolicy;
LSA_OBJECT_ATTRIBUTES objectAttributes;
PLSA_UNICODE_STRING plsaString;
BOOL bResult1 = FALSE;
BOOL bResult2 = TRUE;
ZeroMemory(&objectAttributes, sizeof(LSA_OBJECT_ATTRIBUTES));
objectAttributes.Length = sizeof(LSA_OBJECT_ATTRIBUTES);
ns = LsaOpenPolicy(NULL, &objectAttributes, POLICY_LOOKUP_NAMES, &hPolicy);
if (LsaNtStatusToWinError(ns) != ERROR_SUCCESS) {
return FALSE;
}
ns = LsaEnumerateAccountRights(hPolicy, pSid, &plsaString, &uCount);
if (LsaNtStatusToWinError(ns) != ERROR_SUCCESS) {
return FALSE;
}
for (i = 0; i < uCount; i++) {
if (lstrcmp(plsaString[i].Buffer, lpszAccountRights) == 0) {
bResult1 = TRUE;
}
else if (lstrcmp(plsaString[i].Buffer, lpszDenyAccountRights) == 0) {
bResult2 = FALSE;
}
}
LsaFreeMemory(plsaString);
return bResult1 && bResult2;
}