I am writing a program that will set up a VPN on a user's computer. My sysadmin told me that the security page of the VPN must have these security settings checked, and no others.
I have used this code as a basis for my own. My version sets almost everything correctly, except that it cannot uncheck the 2 boxes titled Challenge Handshake Authentication Protocol (CHAP) and Microsoft CHAP Version 2 (MS-CHAP v2). Is it possible to programmatically uncheck those 2 checkboxes while leaving the Data Encryption dropdown list set as Require Encryption? Here is my code:
void createVPN()
{
DWORD size = 0;
RasGetEntryProperties(NULL, L"", NULL, &size, NULL, NULL);
LPRASENTRY pras = (LPRASENTRY)malloc(size);
memset(pras, 0, size);
pras->dwSize = size;
pras->dwType = RASET_Vpn;
pras->dwRedialCount = 1;
pras->dwRedialPause = 60;
pras->dwfNetProtocols = RASNP_Ip;
pras->dwEncryptionType = ET_Require;
wcscpy_s(pras->szLocalPhoneNumber, L"meraki.companyname.com");
wcscpy_s(pras->szDeviceType, RASDT_Vpn);
pras->dwfOptions = RASEO_RemoteDefaultGateway;
pras->dwVpnStrategy = VS_L2tpOnly;
pras->dwfOptions2 |= RASEO2_UsePreSharedKey;
pras->dwfOptions &= ~(RASEO_RequireCHAP | RASEO_RequireMsCHAP | RASEO_RequireMsCHAP2);//This should unset the CHAP flags, but it doesn't.
RasSetEntryProperties(NULL, L"CompanyName Meraki VPN", pras, pras->dwSize, NULL, 0);
RASCREDENTIALS ras_cre_psk = { 0 };
ras_cre_psk.dwSize = sizeof(ras_cre_psk);
ras_cre_psk.dwMask = RASCM_PreSharedKey;
wcscpy_s(ras_cre_psk.szPassword, L"redacted");
RasSetCredentials(NULL, L"CompanyName Meraki VPN", &ras_cre_psk, FALSE);
free(pras);
}
I am thinking that by setting pras->dwEncryptionType to ET_Require, that prevents RASEO_RequireCHAP and the other CHAP flags from being unset, but in the Windows GUI, it is possible to uncheck them and leave Data Encryption set to Require Encryption. My sysadmin tells me that the connection will not work if either of the CHAP checkboxes are checked, or if Data Encryption is not set to Require Encryption. What can I do?
I have finally figured it out. You have to set the RASEO_RequirePAP switch. Here is the final version of the function:
void createVPN()
{
DWORD size = 0;
RasGetEntryProperties(NULL, L"", NULL, &size, NULL, NULL);
RASENTRY rasEntry = {};
rasEntry.dwSize = sizeof(rasEntry);
rasEntry.dwType = RASET_Vpn;
rasEntry.dwRedialCount = 1;
rasEntry.dwRedialPause = 60;
rasEntry.dwfNetProtocols = RASNP_Ip;
rasEntry.dwEncryptionType = ET_Require;
wcscpy_s(rasEntry.szLocalPhoneNumber, L"meraki.enoble.com");
wcscpy_s(rasEntry.szDeviceType, RASDT_Vpn);
rasEntry.dwfOptions = RASEO_RemoteDefaultGateway;
rasEntry.dwVpnStrategy = VS_L2tpOnly;
rasEntry.dwfOptions2 |= RASEO2_UsePreSharedKey;
rasEntry.dwfOptions |= RASEO_RequirePAP;
RasSetEntryProperties(NULL, L"Enoble Meraki VPN", &rasEntry, rasEntry.dwSize, NULL, 0);
RASCREDENTIALS ras_cre_psk = { 0 };
ras_cre_psk.dwSize = sizeof(ras_cre_psk);
ras_cre_psk.dwMask = RASCM_PreSharedKey;
wcscpy_s(ras_cre_psk.szPassword, L"passport2k");
RasSetCredentials(NULL, L"Enoble Meraki VPN", &ras_cre_psk, FALSE);
}
I hope this helps somebody.
Related
Been trying this for a while so far with no success, so hoping someone can help out (and that I'm not far off!). I just want to return whether a user is a member of a specific group through LDAP. So far I have the below code;
int authMethod = LDAP_AUTH_SIMPLE;
LDAP* pLdapConnection = NULL;
ULONG version = LDAP_VERSION3;
ULONG getOptSuccess = 0;
ULONG connectSuccess = 0;
INT returnCode = 0;
int retSearch = 0;
LDAPMessage *res;
int num_entries = 0, num_refs = 0;
pLdapConnection = ldap_init((char*)m_Hostname.GetString(), LDAP_PORT);
returnCode = ldap_set_option(pLdapConnection,
LDAP_OPT_PROTOCOL_VERSION,
(void*)&version);
// Connect to the server.
connectSuccess = ldap_connect(pLdapConnection, NULL);
// Bind
returnCode = ldap_bind_s(pLdapConnection, (char*)m_Username.GetString(), (char*)m_Password.GetString(), authMethod);
// Attempt to search for user
retSearch = ldap_search_s(pLdapConnection, "dc=as,dc=local", LDAP_SCOPE_SUBTREE, "(&(sAMAccountName = examplename))", NULL, NULL, &res);
All of this works so far, up until the searching part, for example - I want to search for a user "username" in group "Technical". I've tried things like the below;
retSearch = ldap_search_s(pLdapConnection, "dc=as,dc=local", LDAP_SCOPE_SUBTREE, "(&(sAMAccountName=username)(memberof=CN=Technical))",
nullptr, 0, &pSearchResult);
That does not return anything, so I've tried searching more and the only thing similar I've found is - LDAP Finding Members of a group PHP but it's in PHP and I cannot seem to transfer that over to C++ so far.
Any help in the right direction would be helpful as I cannot work it out. :-)
Your filter should be something like:
(&(objectClass=user)(sAMAccountName=yourUserName)
(memberOf=CN=YourGroup,OU=Users,DC=YourDomain,DC=com))
To include membership due to group nesting:
(&(objectClass=user)(sAMAccountName=yourUserName)
(memberOf:1.2.840.113556.1.4.1941:=cn=YourGroup,ou=Users,dc=YourDomain,dc=com))
The numbers 1.2.840.113556.1.4.1941 are an extended match.
Using Windows Filtering Platform i need to block all computer applications minus 1 especific aplication ?
Tried this code and does not work, it blocks all trafic :(
fwpFilter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
fwpFilter.action.type = FWP_ACTION_BLOCK;
fwpFilter.subLayerKey = subLayerKey;
fwpFilter.weight.type = FWP_EMPTY;
fwpFilter.numFilterConditions = 0;
fwpFilter.displayData.name = GetWC("Block All APPS MINUS FIREFOX");
fwpFilter.displayData.description = GetWC("Block All APPS MINUS FIREFOX");
result = FwpmFilterAdd0(engine, &fwpFilter, NULL, NULL);
FWPM_FILTER_CONDITION0 Condition;
fwpFilter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
fwpFilter.action.type = FWP_ACTION_PERMIT;
fwpFilter.weight.type = FWP_EMPTY;
fwpFilter.filterCondition = &Condition;
fwpFilter.numFilterConditions = 1;
PCWSTR appPath = (PCWSTR)GetWC("C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe");
FWP_BYTE_BLOB *fwpApplicationByteBlob;
fwpApplicationByteBlob = (FWP_BYTE_BLOB*)malloc(sizeof(FWP_BYTE_BLOB));
FwpmGetAppIdFromFileName0(appPath, &fwpApplicationByteBlob);
Condition.fieldKey = FWPM_CONDITION_ALE_APP_ID;
Condition.matchType = FWP_MATCH_EQUAL;
Condition.conditionValue.type = FWP_BYTE_BLOB_TYPE;
Condition.conditionValue.byteBlob = fwpApplicationByteBlob;
result = FwpmFilterAdd0(engine, &fwpFilter, NULL, NULL);
Thanks in advance
Below here is a code snippet what I m trying out:
PRINTER_INFO_2 pi;
BOOL Result = FALSE;
HANDLE pHd;
memset(&pi, 0, sizeof(PRINTER_INFO_2));
pi.pPrinterName = L"RxXPSDrv";
pi.pDriverName = L"XPSDrv Sample Driver";
// Select Share Name
pi.pShareName = L"MyPrinter";
// Select Server Name
pi.pServerName = NULL;
// Select Port Name
pi.pPortName = L"COM3:";
//pi.pPortName = L"C:\\Users\\admin\\Desktop\\a1.xps";
pi.pSecurityDescriptor = NULL;
// Select Print Processor
pi.pPrintProcessor = L"winprint";
// Select Attributes
pi.Attributes = PRINTER_ATTRIBUTE_DO_COMPLETE_FIRST | PRINTER_ATTRIBUTE_LOCAL;
// Set Priority
pi.Priority = 1;
// Call the function AddPrinter
pHd = AddPrinter(NULL, 2, (LPBYTE)&pi);
Here #pi.pPortName I need to provide C:\Users\admin\Desktop\a1.xps but its not working and the printer isn't getting added. With COM3 it works fine.
Can anyone tell me how can I do this? How can I provide full path of a XPS to pi.pPortName?
You have to add a "local port" "C:\Users\admin\Desktop\a1.xps" first. I just tried and it worked. Some code for Add port: Adding-a-Local-Port-through-XcvData-and-C
I am trying to get the display name of the running service using c++. I was trying to use the GetServiceDisplayName function but it does not seem to be working, not sure why.
TTServiceBegin( const char *svcName, PFNSERVICE pfnService, bool *svc, PFNTERMINATE pfnTerm,
int flags, int argc, char *argv[], DWORD dynamiteThreadWaitTime )
{
SC_HANDLE serviceStatusHandle;
DWORD dwSizeNeeded = 0 ;
TCHAR* szKeyName = NULL ;
serviceStatusHandle=OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE ,SC_MANAGER_ALL_ACCESS);
GetServiceDisplayName(serviceStatusHandle,svcName, NULL, &dwSizeNeeded);
if(dwSizeNeeded)
{
szKeyName = new char[dwSizeNeeded+1];
ZeroMemory(szKeyName,dwSizeNeeded+1);
if(GetServiceDisplayName(serviceStatusHandle ,svcName,szKeyName,&dwSizeNeeded)!=0)
{
MessageBox(0,szKeyName,"Got the key name",0);
}
}
When i run this code, i can never see the value of szKeyName in my debugger and it goes into the if block for the message box but never displays the message box. Not sure why?
Anyway to get this to work to get the display name of the service or any other/easier way to accomplish that task?
You need to use the WTSSendMessage instead of the MessageBox to interact with the active session.
WTS_SESSION_INFO* pSessionInfo = NULL;
DWORD dwSessionsCount = 0;
if(WTSEnumerateSessions(WTS_CURRENT_SERVER_HANDLE, 0, 1, &pSessionInfo, &dwSessionsCount))
{
for(int i=0; i<(int)dwSessionsCount; i++)
{
WTS_SESSION_INFO &si = pSessionInfo[i];
if(si.State == WTSActive)
{
DWORD dwIdCurrentSession = si.SessionId;
std::string strTitle = "Hello";
std::string strMessage = "This is a message from the service";
DWORD dwMsgBoxRetValue = 0;
if(WTSSendMessage(
WTS_CURRENT_SERVER_HANDLE,
dwIdCurrentSession,
(char*)strTitle.c_str(),
strTitle.size(),
(char*)strMessage.c_str(),
strMessage.size(),
MB_RETRYCANCEL | MB_ICONINFORMATION | MB_TOPMOST,
60000,
&dwMsgBoxRetValue,
TRUE))
{
switch(dwMsgBoxRetValue)
{
case IDTIMEOUT:
// Deal with TimeOut...
break;
case IDCANCEL:
// Deal With Cancel....
break;
}
}
else
{
// Deal With Error
}
break;
}
}
WTSFreeMemory(pSessionInfo);
}
The message box will not be visible on Windows Vista and later due to a change that has services running in a separate session (Session 0 Isolation) that does not have access to a desktop so the message box would not be visible to you, the logged on user.
On Window XP and earlier, you need to tick the Allow service to interact with desktop checkbox under the Log On tab in the service's properties dialog for your service to make message box appear.
Instead, you could write the service name out to a file or run a user application that accepts the name of the service to query and have it query and display the service name (I just tried with the posted code and it works correctly, displaying the message box).
I need to programmatically modify the Access Descriptors on a known Registry key during product installation. The way I want it to work is:
The installer is run in Administrative mode.
A Registry key is created.
A function (the one I need) queries the ACL from the key.
If this function finds that the group 'Users' already has write access, nothing should be done.
If not, it should add a new permission allowing write access to the 'Users' group.
The permissions are saved for the Registry key.
This question is similar to Setting Registry key write permissions using .NET, however, I need a C++/Win32 implementation.
Thanks in advance
For getting and setting the ACL of the key you need to use RegGetKeySecurity and RegSetKeySecurity. Then you need to iterate through the ACEs, examining any that apply to the "Users" group SID. Then you'll either modify/remove the existing one and/or add a new one. Be advised that working with ACLs in plain old Win32 C is a pain.
The smallest code to grant access consists of 3 API calls. It gives full access to the given hkey for all authenticated users and administrators.
This snippet does not contain proper error handling and reporting. Do not copy/paste it into the production code.
PSECURITY_DESCRIPTOR sd = nullptr;
ULONG sd_size = 0;
TCHAR* rights = TEXT( "D:" ) // Discretionary ACL
TEXT( "(A;OICI;GA;;;AU)" ) // Allow full control to all authenticated users
TEXT( "(A;OICI;GA;;;BA)" ); // Allow full control to administrators
ConvertStringSecurityDescriptorToSecurityDescriptor( rights, SDDL_REVISION_1, &sd, &sd_size );
RegSetKeySecurity( hkey, DACL_SECURITY_INFORMATION, sd );
LocalFree( sd );
Detecting if "Users" have write access to the key might be more difficult than expected. I ended up with writing a test value to the registry and checking the result of that write.
Just to expand on Mikhail Vorotilov's answer, and also drawing inspiration from the example code at
https://learn.microsoft.com/en-us/windows/win32/secbp/creating-a-dacl
bool RegistryGrantAll(HKEY hKey)
{
bool bResult = false;
PSECURITY_DESCRIPTOR sd = nullptr;
const TCHAR* szSD =
TEXT("D:") // Discretionary ACL
TEXT("(D;OICI;KA;;;BG)") // Deny access to built-in guests
TEXT("(D;OICI;KA;;;AN)") // Deny access to anonymous logon
TEXT("(A;OICI;KRKW;;;AU)") // Allow KEY_READ and KEY_WRITE to authenticated users ("AU")
TEXT("(A;OICI;KA;;;BA)"); // Allow KEY_ALL_ACCESS to administrators ("BA" = Built-in Administrators)
if (ConvertStringSecurityDescriptorToSecurityDescriptor((LPCTSTR)szSD, SDDL_REVISION_1, &sd, 0))
{
auto result = RegSetKeySecurity(hKey, DACL_SECURITY_INFORMATION, sd);
if (ERROR_SUCCESS == result)
bResult = true;
else
SetLastError(result);
// Free the memory allocated for the SECURITY_DESCRIPTOR.
LocalFree(sd);
}
return bResult;
}
If the function returns false then call GetLastError() for more information on the failure cause.
Code compiles on VS2019 and appears to work.
I have not added code to check that hKey is a valid registry handle.
Edit: I've edited this a few times following testing. Sorry about all the edits. What I ended up with was far closer to Mikhail's answer than I started with.
Links to further info:
https://learn.microsoft.com/en-us/windows/win32/secbp/creating-a-dacl
https://learn.microsoft.com/en-us/windows/win32/api/sddl/nf-sddl-convertstringsecuritydescriptortosecuritydescriptorw
https://learn.microsoft.com/en-us/windows/win32/secauthz/ace-strings
Sup, hope OP is still interested in the answer. Here is the working code adding ACEs to ACLs, it may be used to add ACEs to registry or filesystem DACLs. I haven't tried it with anything else yet. As you may notice, no nasty RegGetKeySecurity or manual ACL composing needed. There's even no need to RegOpenKeyEx. For more info, check this MS doc.
UPD Of course it will need admin rights for execution.
// sk - alloced string / path to needed key
// common look: MACHINE\\Software\\... where MACHINE == HKEY_LOCAL_MACHINE
// google for more address abbrevations
PSECURITY_DESCRIPTOR pSD = 0;
EXPLICIT_ACCESS ea;
PACL pOldDACL = 0, pNewDACL = 0;
if (ERROR_SUCCESS == GetNamedSecurityInfo(sk, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, 0, 0, &pOldDACL, 0, &pSD)) {
memset(&ea, 0, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = KEY_ALL_ACCESS;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance = NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.ptstrName = <USERNAME HERE>; //DOMAIN\\USERNAME
if (ERROR_SUCCESS == SetEntriesInAcl(1, &ea, pOldDACL, &pNewDACL)) {
if (ERROR_SUCCESS == SetNamedSecurityInfo(sk, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, 0, 0, pNewDACL, 0)) {
if (pSD != 0) LocalFree((HLOCAL)pSD);
if (pNewDACL != 0) LocalFree((HLOCAL)pNewDACL);
SAFE_FREE(sk);
// WE'RE GOOD!
return ... ;
} else {
if (pSD) LocalFree((HLOCAL)pSD);
if (pNewDACL) LocalFree((HLOCAL)pNewDACL);
SAFE_FREE(sk);
// SetNamedSecurityInfo failed
return ... ;
}
} else {
if (pSD) LocalFree((HLOCAL)pSD);
if (pNewDACL) LocalFree((HLOCAL)pNewDACL);
SAFE_FREE(sk);
// SetEntriesInAcl failed
return ... ;
}
} else {
if (pSD) LocalFree((HLOCAL)pSD);
SAFE_FREE(sk);
// GetNamedSecurityInfo failed
return ... ;
}