[cifs-protocol] [MS-SAMR] SamrSetInformationUser2 over an authenticated DCERPC connection [119040819792364]

Obaid Farooqi obaidf at microsoft.com
Mon May 6 18:41:34 UTC 2019 

Hi Andreas:
Couple of questions for you:
1. is there a way in your rpcclient to use RPC_C_AUTHN_LEVEL_NONE? I know [Seal] will cause RPC_C_AUTHN_LEVEL_PKT_PRIVACY. Is there a similar option for RPC_C_AUTHN_LEVEL_NONE?
2. You mentioned WS2008R2 behave differently. Does that mean WS2008R2 changes the password successfully when RPC_C_AUTHN_LEVEL_PKT_PRIVACY is used with SMB Session key?

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at ramagane at Microsoft dot com

-----Original Message-----
From: Obaid Farooqi 
Sent: Monday, April 29, 2019 12:06 AM
To: Andreas Schneider <asn at samba.org>
Cc: cifs-protocol <cifs-protocol at lists.samba.org>; support at mail.support.microsoft.com
Subject: RE: [MS-SAMR] SamrSetInformationUser2 over an authenticated DCERPC connection [119040819792364]

Hi Andreas:
As noted in section " 5.1 Security Considerations for Implementers", Windows does not use transport level security for this protocol, as follows:

"... Although
this protocol does not use transport-level encryption (with the exception of SamrValidatePassword), it does rely on the key strength of the SMB transport for encrypting cleartext data.
Using SamrSetInformationUser2 with UserInternal4InformationNew and UserInternal5InformationNew is the best choice that a client can make for setting a cleartext password through this protocol, because the cryptography used is the strongest in this protocol."

I was wondering where is the following information documented that you mentioned:

"
the reauth using DCERPC is required if an Admin restricted anonymous SAMR access.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

with the following values:
      Value Name: RestrictAnonymous
      Value Name: RestrictAnonymousSAM

in that case samr_Connect2() doesn't allow anonymous and will fail with ACCESS_DENIED. This means you need to use an authenticated DCERPC connection to connect to samr."

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

-----Original Message-----
From: Andreas Schneider <asn at samba.org>
Sent: Friday, April 26, 2019 3:21 AM
To: Obaid Farooqi <obaidf at microsoft.com>
Cc: cifs-protocol <cifs-protocol at lists.samba.org>; support at mail.support.microsoft.com
Subject: Re: [MS-SAMR] SamrSetInformationUser2 over an authenticated DCERPC connection [119040819792364]

On Thursday, April 25, 2019 7:40:57 PM CEST Obaid Farooqi wrote:
> Hi Andreas:

Hi Obaid,

> I have filed a bug to document this behavior.
> The reason SMB session key does not work in case of authenticated SAMR 
> bind is that the query to get the SMB session key fails since SMB 
> session key is queried using id for the login session. Since you login 
> again for samr, the id for login session is different from the SMB 
> logon session. Due to this failure, the RPC is assumed to be local and SystemLibraryDTC is used.

the reauth using DCERPC is required if an Admin restricted anonymous SAMR access.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

with the following values:
      Value Name: RestrictAnonymous
      Value Name: RestrictAnonymousSAM

in that case samr_Connect2() doesn't allow anonymous and will fail with ACCESS_DENIED. This means you need to use an authenticated DCERPC connection to connect to samr.

So proabably the code could be improved to check if the SMB connection is already authenticated and then allow anonymous access to samr :-)

> Jay
> Simmons describes this well in the thread that was mentioned by Metze. 
> I am copy that link from his email and reproducing here:
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
> s.sam
> ba.org%2Farchive%2Fcifs-protocol%2F2012-June%2F002343.html&data=02
> %7C01%
> 7Cobaidf%40microsoft.com%7C2aaa70f3b41c45bce0e708d6bc28c627%7C72f988bf
> 86f141
> af91ab2d7cd011db47%7C1%7C0%7C636903280648023447&sdata=YXYLWz%2BtKH
> BqEeVf
> KdflzGcJMejNTEd9TCr6OzcVGjc%3D&reserved=0
> 
> 
> Please let me know if this does not answer your question.

Ok, this is what we discovered too. However using "SystemLibraryDTC" works on Windows Server 2012 and newer. It doesn't work on Windows Server 2008R2, what's the difference with there?


Thanks for your help!

Best regards,


	Andreas

-- 
Andreas Schneider                      asn at samba.org
Samba Team                             https://nam06.safelinks.protection.outlook.com/?url=www.samba.org&data=01%7C01%7Cobaidf%40microsoft.com%7Cfc42e002c8bb456c7eae08d6ca202ef5%7C72f988bf86f141af91ab2d7cd011db47%7C1&sdata=l5GN19eHGefK5U%2FfH54TQ2pGLo0A8B%2FyC%2FDpeFz%2BNTs%3D&reserved=0
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the cifs-protocol mailing list