2

I am trying to get the security descriptor (or at least the DACL) of the IPC$ share. For other shares (such as C$, ADMIN$ and user-created shares), GetFileSecurity works (e.g. with "\localhost\C$"). With IPC$ neither that nor GetKernelObjectSecurity work, giving me an error 87 (The parameter is incorrect). I tried with different security information levels (owner, group, dacl and sacl all 4 together and each one alone individually), none worked for me. I also tried NetShareGetInfo with level 502, but it doesn't return any security descriptor (nor does it return one for C$ or ADMIN$, for example). Couldn't find anything on google either.

I'm using python 2.7 with pywin32. I would prefer a solution using API (WINAPI probably), but I would also accept a solution using another exe or command line tool (net.exe, WMI, powershell, etc.), as long as I can get the info programmatically.

Thanks!

Eran Zimmerman Gonen
  • 4,375
  • 1
  • 19
  • 31
  • 1
    I don't think there's an API to query the default security if the 502 info doesn't return an SD. `GetNamedSecurityInfo` with the `SE_LMSHARE` type doesn't return anything either for special shares such as IPC$, ADMIN$, and C$. That leaves querying the registry. The defaults for SMB shares are set in "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity". Special shares use the admin connection security descriptor in the binary value "SrvsvcShareAdminConnect". You can convert this back into a PyWin32 object via `pywintypes.SECURITY_DESCRIPTOR`. – Eryk Sun Mar 07 '19 at 11:10
  • @eryksun That's the default SD though, not the current one, correct? Or is the SD of IPC$ == default SD for shares == the value of SrvsvcShareAdminConnect? – Eran Zimmerman Gonen Mar 07 '19 at 13:36
  • 1
    It's the default security for special shares (i.e. `STYPE_SPECIAL`), which includes IPC$. If we try to set the security via `NetSetShareInfo`, it fails as an invalid parameter. If we examine the protocol spec in \[MS-SRVS\] [section 3.1.4.11](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/048b35f8-ac41-4b4a-bd4f-408e4d381234), we see that for "STYPE_SPECIAL, a security descriptor MUST NOT be specified in shi502_security_descriptor (Level = 502)" and it "MUST fail the call with an ERROR_INVALID_PARAMETER". So this is by design, and it always uses the default security. – Eryk Sun Mar 07 '19 at 14:20
  • @eryksun When I use `GetFileSecurity`, I get a different result for drive shares (e.g. C$) and for ADMIN$. Neither of those results is the same as the SD I get when I parse `SrvsvcShareAdminConnect`.. – Eran Zimmerman Gonen Mar 07 '19 at 15:40
  • That's not the SMB share security. You're getting the security on the underlying file-system directories, respectively "C:\" and "C:\Windows". – Eryk Sun Mar 07 '19 at 15:45
  • @eryksun So anyone wishing to access a *special* share remotely, needs to have permissions both according to the file system SD (except in the case of IPC$), and according to `SrvsvcShareAdminConnect`, right? And in the case of IPC$, it would be just according to `SrvsvcShareAdminConnect`, correct? – Eran Zimmerman Gonen Mar 07 '19 at 16:00
  • 1
    Correct, the security that's set on a file share can grant everyone access if the underlying file-system supports security, such as NTFS. But special shares always have the default security, regardless of the underlying file-system security. This means that even if drive D: is FAT32 (no security), share D$ will still be secure. – Eryk Sun Mar 07 '19 at 16:09
  • @eryksun Thanks!! – Eran Zimmerman Gonen Mar 07 '19 at 16:11
  • I looked at the entries in "SrvsvcShareAdminConnect", and there's nothing to allow everyone and anonymous, which should be allowed in general for pipe connections. So the IPC$ share must use the normal "SrvsvcShareConnect" security, which grants all access to administrators (S-1-5-32-544), server operators (S-1-5-32-549), and backup operators (S-1-5-32-551), and grants connect access to everyone (S-1-1-0) and anonymous (S-1-5-7). – Eryk Sun Mar 08 '19 at 05:12
  • "SrvsvcShareAdminConnect" grants all access to administrators (S-1-5-32-544), server operators (S-1-5-32-549), and backup operators (S-1-5-32-551), as well as batch (S-1-5-3), interactive (S-1-5-4), and service (S-1-5-6) logons. It grants no particular access to everyone (S-1-1-0), network logons (S-1-5-2), and anonymous logons (S-1-5-7). So administrative disk shares such as C$ are available to all non-anonymous, non-network logons, and only available over the network to administrators and server/backup operators. – Eryk Sun Mar 08 '19 at 05:25
  • @eryksun So to sum up: `SrvsvcShareConnect` controls access to IPC$, intersection(`SrvsvcShareAdminConnect`, folder SD) controls access to C$, ADMIN$, etc., and intersection(SD from NetShareGetInfo, folder SD) controls access to user-defined shares? – Eran Zimmerman Gonen Mar 11 '19 at 08:10

1 Answers1

0

You can use the PowerShell cmdlet Get-SMBShareAccess to get the ACL of a share but I'm not sure about dACL.

You can read more about Get-SMBShareAccess here.

To invoke the PowerShell in your Python script you can use this:

import subprocess

command = 'Get-SMBShareAccess -Name IPC$'
result = subprocess.run(['powershell', '-Command', command], stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)

# Print the output
print(result.stdout.decode())
Marco Pagliaricci
  • 1,366
  • 17
  • 31
Ben
  • 11
  • 3