everyone. I am adding the access control for a driver (WinPcap's NDIS 6 filter driver) running on Windows 7 and 8. We want to let only administrators (users in Administrators group) to use the driver. So I used the new IoCreateDeviceSecure function instead of original IoCreateDevice call.
My code is as belows:
UNICODE_STRING sddl = RTL_CONSTANT_STRING(L"D:P(A;;GA;;;SY)(A;;GA;;;BA)");
const GUID guidClassNPF = { 0x26e0d1e0L, 0x8189, 0x12e0, { 0x99, 0x14, 0x08, 0x00, 0x22, 0x30, 0x19, 0x04 } };
status = IoCreateDeviceSecure(adriverObjectP, sizeof(DEVICE_EXTENSION), &deviceName, FILE_DEVICE_TRANSPORT,
FILE_DEVICE_SECURE_OPEN, FALSE, &sddl, (LPCGUID) &guidClassNPF, &devObjP);
My SDDL string is "D:P(A;;GA;;;SY)(A;;GA;;;BA)" which means "allows the kernel, system, and administrator complete control over the device. No other users may access the device." in https://msdn.microsoft.com/en-us/library/windows/hardware/ff563667(v=vs.85).aspx. But GA in that SDDL string means "The built-in Administrators group on the machine" by reference to the same webpage. Hence I don't know if this is Microsoft's mistake, because there is still difference between Administrator user and the Administrators group.
My testbed is Windows 8.1 x64. I have created a user named test, added it to the Administrators group. I used the runas command to run a program that invokes the driver as the user test as below:
Fails:
runas /savecred /user:test "C:\Program Files (x86)\Nmap\nmap.exe -v -A 192.168.0.1"
And the command fails to open the driver device, I tried the command as the built-in Administrator user, and the driver device open succeeds. As below:
Succeeds:
runas /savecred /user:administrator "C:\Program Files (x86)\Nmap\nmap.exe -v -A 192.168.0.1"
This test confirms that "D:P(A;;GA;;;SY)(A;;GA;;;BA)" only allows the access of the exact Administrator user instead of Administrators group.
I hope that anyone can point it out if this is a bug in Windows, and how to allow the Administrators group to use my driver? Thanks.
It seems to be the UAC problem.
Besides, for a general view, I think our application scenario doesn't actually make use of the "Administrator" privilege. We just want to open access to Administrators group as a standard group instead of asking for Administrators' privilege. I think there must be some more graceful ways to solve this UAC issue.
And, I thought "BA" in SDDL should mean all accounts in Administrators group, there is no much relationship with whether the account in Administrators group has the "full" access token. As the current situation (default policies), if "BA" only means the built-in Administrator account, we can just provide the SID of Administrator account, instead of using "BA". So the predefined “BA" string is useless.