[cifs-protocol] [MS-SAMR] SamrSetInformationUser2 over an authenticated DCERPC connection [119040819792364]
Obaid Farooqi
obaidf at microsoft.com
Mon Apr 29 05:05:31 UTC 2019
Hi Andreas:
As noted in section " 5.1 Security Considerations for Implementers", Windows does not use transport level security for this protocol, as follows:
"... Although
this protocol does not use transport-level encryption (with the exception of SamrValidatePassword), it
does rely on the key strength of the SMB transport for encrypting cleartext data.
Using SamrSetInformationUser2 with UserInternal4InformationNew and UserInternal5InformationNew
is the best choice that a client can make for setting a cleartext password through this protocol,
because the cryptography used is the strongest in this protocol."
I was wondering where is the following information documented that you mentioned:
"
the reauth using DCERPC is required if an Admin restricted anonymous SAMR access.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
with the following values:
Value Name: RestrictAnonymous
Value Name: RestrictAnonymousSAM
in that case samr_Connect2() doesn't allow anonymous and will fail with ACCESS_DENIED. This means you need to use an authenticated DCERPC connection to connect to samr."
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
-----Original Message-----
From: Andreas Schneider <asn at samba.org>
Sent: Friday, April 26, 2019 3:21 AM
To: Obaid Farooqi <obaidf at microsoft.com>
Cc: cifs-protocol <cifs-protocol at lists.samba.org>; support at mail.support.microsoft.com
Subject: Re: [MS-SAMR] SamrSetInformationUser2 over an authenticated DCERPC connection [119040819792364]
On Thursday, April 25, 2019 7:40:57 PM CEST Obaid Farooqi wrote:
> Hi Andreas:
Hi Obaid,
> I have filed a bug to document this behavior.
> The reason SMB session key does not work in case of authenticated SAMR
> bind is that the query to get the SMB session key fails since SMB
> session key is queried using id for the login session. Since you login
> again for samr, the id for login session is different from the SMB
> logon session. Due to this failure, the RPC is assumed to be local and SystemLibraryDTC is used.
the reauth using DCERPC is required if an Admin restricted anonymous SAMR access.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
with the following values:
Value Name: RestrictAnonymous
Value Name: RestrictAnonymousSAM
in that case samr_Connect2() doesn't allow anonymous and will fail with ACCESS_DENIED. This means you need to use an authenticated DCERPC connection to connect to samr.
So proabably the code could be improved to check if the SMB connection is already authenticated and then allow anonymous access to samr :-)
> Jay
> Simmons describes this well in the thread that was mentioned by Metze.
> I am copy that link from his email and reproducing here:
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
> s.sam
> ba.org%2Farchive%2Fcifs-protocol%2F2012-June%2F002343.html&data=02
> %7C01%
> 7Cobaidf%40microsoft.com%7C2aaa70f3b41c45bce0e708d6bc28c627%7C72f988bf
> 86f141
> af91ab2d7cd011db47%7C1%7C0%7C636903280648023447&sdata=YXYLWz%2BtKH
> BqEeVf
> KdflzGcJMejNTEd9TCr6OzcVGjc%3D&reserved=0
>
>
> Please let me know if this does not answer your question.
Ok, this is what we discovered too. However using "SystemLibraryDTC" works on Windows Server 2012 and newer. It doesn't work on Windows Server 2008R2, what's the difference with there?
Thanks for your help!
Best regards,
Andreas
--
Andreas Schneider asn at samba.org
Samba Team https://nam06.safelinks.protection.outlook.com/?url=www.samba.org&data=01%7C01%7Cobaidf%40microsoft.com%7Cfc42e002c8bb456c7eae08d6ca202ef5%7C72f988bf86f141af91ab2d7cd011db47%7C1&sdata=l5GN19eHGefK5U%2FfH54TQ2pGLo0A8B%2FyC%2FDpeFz%2BNTs%3D&reserved=0
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the cifs-protocol
mailing list