[cifs-protocol] [EXTERNAL] Re: conditional deny aces not working over SMB - TrackingID#2405070040013300
Douglas Bagnall
douglas.bagnall at catalyst.net.nz
Thu Jun 6 23:00:02 UTC 2024
hi Obaid,
That's OK. Thank you.
Just to summarize for the CIFS-Protocol list, my understanding is:
Conditional ALLOW: works "everywhere".
Conditional DENY: works with Applocker, AD Claims related stuff, and
probably everywhere that uses the userspace AuthZ API (like, I think,
ADFS), but not the NTFS filesystem (including over SMB).
Conditional AUDIT: who knows, probably like DENY.
Conditional OBJECT {ALLOW|DENY|AUDIT}: probably like DENY.
I don't know (or currently care) whether it is all "callback" DENY that
don't work on the filesystem, or just conditional ones, because in
practice these mean the same thing.
>> I would like to add that by using the conditional access allowed ACE, access denied can be simulated by crafting the right condition.
I think this could get very complicated, as you have to take the whole
ACL into account. A conditional allow ACE that fails its condition will
let the access check fall though to the next ACE. The complementary
condition on a deny ACE would succeed and stop the check there,
returning a deny result.
That's not to say you need a way of simulating conditional deny ACEs on
the filesystem, because clearly nobody has ever wanted one.
Thank you for your investigations!
cheers,
Douglas
On 7/06/24 08:36, Obaid Farooqi wrote:
> Hi Douglas:
> My research shows that access denied conditional ACE is only valid when AppLocker check the access. In case of file system, the access denied conditional ACE is not evaluated.
>
> I would like to add that by using the conditional access allowed ACE, access denied can be simulated by crafting the right condition.
>
> Please let me know if this does not answer your question.
>
> I will file a bug against MS-DTYP.
>
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
>
> -----Original Message-----
> From: Obaid Farooqi
> Sent: Tuesday, May 7, 2024 4:11 PM
> To: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
> Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol at lists.samba.org
> Subject: RE: [EXTERNAL] Re: conditional deny aces not working over SMB - TrackingID#2405070040013300
>
> Hi Douglas:
> I'll look into this and will be in touch as soon as I have something to share.
>
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
>
> -----Original Message-----
> From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
> Sent: Monday, May 6, 2024 5:54 PM
> To: Obaid Farooqi <obaidf at microsoft.com>; cifs-protocol at lists.samba.org
> Cc: Microsoft Support <supportmail at microsoft.com>
> Subject: Re: [EXTERNAL] Re: conditional deny aces not working over SMB - TrackingID#2310190040000571
>
> hi Obaid,
>
> Sorry for the long delay.
>
> I have not been able to change the behaviour I reported, which is that an ACL with a conditional deny ACE will not deny access over SMB, while the corresponding conditional allow ACE does allow access. This seems to be independent of whether claims are enabled.
>
> This ACL doesn't depend on claims, as the condition refers to things that are already known:
>
> D:(XD;;FA;;;WD;(Member_of SID(WD)))(A;;FA;;;WD)
>
> and it doesn't deny access. This ACL:
>
> D:(XA;;FA;;;WD;(Member_of SID(WD)))
>
> does allow access over SMB.
>
> I think that's the out-of-the-box behaviour, and I haven't managed to find a way of changing that by enabling claims.
>
> I don't see documentation in MS-DTYP (or anywhere else) of where the various ACE types have meaning.
>
> My suspicion is that the kernel/NTFS has a partial implementation of conditional ACEs, and that is what SMB uses. The documentation follows the userspace API used by AD. It would be nice if the docs said "you can't use this ACE type in protocol x", if that was actually true.
>
> Douglas
>
> On 9/11/23 18:12, Obaid Farooqi wrote:
>> Hi Douglas:
>> I assume the following link is working. If you have any other questions, please let me know.
>>
>> Regards,
>> Obaid Farooqi
>> Escalation Engineer | Microsoft
>>
>> -----Original Message-----
>> From: Obaid Farooqi
>> Sent: Wednesday, October 25, 2023 5:03 PM
>> To: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>;
>> cifs-protocol at lists.samba.org
>> Cc: Microsoft Support <supportmail at microsoft.com>
>> Subject: RE: [EXTERNAL] Re: conditional deny aces not working over SMB
>> - TrackingID#2310190040000571
>>
>> Hi Douglas:
>> See if this works for you:
>>
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flear
>> n.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fsolution-guides%
>> 2Fdeploy-a-central-access-policy--demonstration-steps-&data=05%7C02%7C
>> obaidf%40microsoft.com%7Cb4632aa434f04f5d92da08dc6e1f6ae5%7C72f988bf86
>> f141af91ab2d7cd011db47%7C1%7C0%7C638506328428497474%7CUnknown%7CTWFpbG
>> Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%
>> 3D%7C0%7C%7C%7C&sdata=2wse6ZBzv0vancJEI47JvvSWLNp1GgLUuskqN2iUP2A%3D&r
>> eserved=0
>>
>> -----Original Message-----
>> From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
>> Sent: Wednesday, October 25, 2023 3:34 PM
>> To: Obaid Farooqi <obaidf at microsoft.com>;
>> cifs-protocol at lists.samba.org
>> Cc: Microsoft Support <supportmail at microsoft.com>
>> Subject: [EXTERNAL] Re: conditional deny aces not working over SMB -
>> TrackingID#2310190040000571
>>
>> hi Obaid,
>>
>>> How did you set up you test environment?
>>
>> Well, haphazardly, it must be said. I tried various things, none of which made any difference.
>>
>> This is on a standalone server -- there is no KDC or user claims. The conditional ACEs refer to facts that are independent of actual claims, or only to resource attribute claims. They work perfectly with allow aces, and not at all with deny aces.
>>
>> I get a 404 at
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flear
>> n.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fsolution-guides%
>> 2Fdeploy-a-central-access-policy--demonstration-steps-&data=05%7C02%7C
>> obaidf%40microsoft.com%7Cb4632aa434f04f5d92da08dc6e1f6ae5%7C72f988bf86
>> f141af91ab2d7cd011db47%7C1%7C0%7C638506328428505944%7CUnknown%7CTWFpbG
>> Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%
>> 3D%7C0%7C%7C%7C&sdata=wtZNaoHYlMQOo3idzP3JU%2BoSRiGrvnkQys03IiSng7Y%3D
>> &reserved=0
>> -- was something clipped off the end?
>>
>> cheers,
>> Douglas
>>
>> On 26/10/23 06:06, Obaid Farooqi wrote:
>>> Hi Douglas:
>>> My conversation with product group revealed that the claims based authorization was developed to protect files, SMB or otherwise.
>>> How did you set up you test environment?
>>> Here is some instructions on setting up a test environment:
>>>
>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flea
>>> r%2F&data=05%7C02%7Cobaidf%40microsoft.com%7Cb4632aa434f04f5d92da08dc
>>> 6e1f6ae5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638506328428511
>>> 738%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBT
>>> iI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=S1AbxIQTPDS6WxrgVOVAfLvM
>>> ZTZMYGadMErftCgVRgI%3D&reserved=0
>>> n.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fsolution-guides
>>> %
>>> 2Fdeploy-a-central-access-policy--demonstration-steps-&data=05%7C01%7
>>> C
>>> obaidf%40microsoft.com%7C0bd1e9e1373a4a3f7ec808dbd599b868%7C72f988bf8
>>> 6
>>> f141af91ab2d7cd011db47%7C1%7C0%7C638338628439791154%7CUnknown%7CTWFpb
>>> G
>>> Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0
>>> %
>>> 3D%7C3000%7C%7C%7C&sdata=DxCSvjNw1pNZHxqFc7O6Qo%2F%2BxB%2BTB2fMBk%2Fc
>>> 4
>>> 45PtZA%3D&reserved=0
>>>
>>> Regards,
>>> Obaid Farooqi
>>> Escalation Engineer | Microsoft
>>>
>>> -----Original Message-----
>>> From: Obaid Farooqi
>>> Sent: Thursday, October 19, 2023 11:45 AM
>>> To: Jeff McCashland (He/him) <jeffm at microsoft.com>; Douglas Bagnall
>>> <douglas.bagnall at catalyst.net.nz>; cifs-protocol at lists.samba.org
>>> Cc: Microsoft Support <supportmail at microsoft.com>
>>> Subject: RE: [EXTERNAL] conditional deny aces not working over SMB -
>>> TrackingID#2310190040000571
>>>
>>> Hi Douglas:
>>> I'll look into this and will be in touch as soon as I have an answer.
>>>
>>> Regards,
>>> Obaid Farooqi
>>> Escalation Engineer | Microsoft
>>>
>>> -----Original Message-----
>>> From: Jeff McCashland (He/him) <jeffm at microsoft.com>
>>> Sent: Wednesday, October 18, 2023 8:45 PM
>>> To: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>;
>>> cifs-protocol at lists.samba.org
>>> Cc: Microsoft Support <supportmail at microsoft.com>
>>> Subject: RE: [EXTERNAL] conditional deny aces not working over SMB -
>>> TrackingID#2310190040000571
>>>
>>> [DocHelp to BCC, support on CC, SR ID on Subject]
>>>
>>> Hi Douglas,
>>>
>>> Thank you for your email. We have created SR 2310190040000571 to track this issue. One of our engineers will respond soon.
>>>
>>> Best regards,
>>> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
>>> Protocol Open Specifications Team
>>> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
>>> (UTC-08:00) Pacific Time (US and Canada) Local country phone number
>>> found here:
>>> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
>>> o%2F&data=05%7C02%7Cobaidf%40microsoft.com%7Cb4632aa434f04f5d92da08dc
>>> 6e1f6ae5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638506328428515
>>> 886%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBT
>>> iI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=q9zXGo0JGX%2B6EsHE9FrD8s
>>> G3ogEEH360lxAuknWZp6g%3D&reserved=0
>>> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cobaidf%40microsoft.co
>>> m
>>> %7C0bd1e9e1373a4a3f7ec808dbd599b868%7C72f988bf86f141af91ab2d7cd011db4
>>> 7
>>> %7C1%7C0%7C638338628439798155%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA
>>> w
>>> MDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sd
>>> a
>>> ta=Y8ky%2Bi1gCFLBh8TzWSaTtjtGoY7wS28J%2BSFRojeiA4Q%3D&reserved=0 |
>>> Extension 1138300
>>>
>>> -----Original Message-----
>>> From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
>>> Sent: Wednesday, October 18, 2023 3:46 PM
>>> To: cifs-protocol at lists.samba.org; Interoperability Documentation
>>> Help <dochelp at microsoft.com>
>>> Subject: [EXTERNAL] conditional deny aces not working over SMB
>>>
>>> hi Dochelp,
>>>
>>> Using SMB2 and Windows 2022, if I set the DACL of a file to
>>>
>>> D:(XD;;FA;;;WD;(Member_of SID(WD)))(A;;FA;;;WD)
>>>
>>> I can still access the file (also over SMB2).
>>>
>>> I didn't expect that, as the first ACE should deny access when the condition "Member_of SID(WD)" is true, which is essentially the same condition as the allow ACE that follows it.
>>>
>>> I haven't been able to find any cases of conditional deny ACEs working for file access. I see the same behaviour locally on the machine.
>>>
>>> I'm guessing this is out of scope for [MS-DTYP], which describes the ACE types but does not say where and how they are used. Is the expected meaning of conditional ACEs for file access described anywhere?
>>>
>>> From what I can see, conditional ACEs in file system is called Dynamic Access Control, and people wrote everything that is known about it in 2012.
>>>
>>> I believe SMB defers the authorization decisions to the underlying file system, and this uses something other than the user space AuthZ API which is used for handling AD claims (I think). Most of what is written about conditional ACEs refers to that API, or directly to claims.
>>>
>>> Because file system behaviour is not considered part of a protocol, ACLs on files can be interpreted however the server prefers. Is that roughly the position? On the slight chance it isn't, I would like to know if the behaviour of conditional ACEs over SMB is documented.
>>>
>>> cheers,
>>> Douglas
>>>
>>
>
More information about the cifs-protocol
mailing list