Okay, Last SDDL Post

I just wanted to really quick apologize to anyone who followed the broken link over the last couple of days from the old post to try to get to the Python SDDL post.  

Due to a misreading of the SDDL specification I didn't realize that the O: and G: sections could exist simultaneously in the same string with the D: or S: sections.

Anyway, the upshot is that this module parses SDDL strings much better, and now supports the other formats as well.

More Fun with SDDL, Python Style!

NOTE: This project has been moved to Google Code so people can propose changes.

http://code.google.com/p/pysddl

It seems like I still get a couple of hits a week from people looking for SDDLTranslate.exe, so I decided to update it. Win32::SDDL was my first and only object-oriented Perl module, but lately I've discovered that making OO modules is much easier in Python (don't get me wrong, I still love Perl, but where it's better, it's better).

So let's get down to the nitty gritty:

SDDL.py is the Python module that makes this work.

All SDDL.SDDL objects have the following attributes:

sddl_string: the SDDL string that was passed to initialize the object.

target: If the target is a service, set this to 'service'

sddl_type: the type of string, D (DACL), S (SACL)

acl: a list of SDDL.ACE objects representing Access Control Entries if the type is DACL or SACL, empty if the type is Owner or Group

owner_sid: the sid of the owner

owner_account: the account name of the owner

group_sid: the sid of the group

group_account: the account name of the group

ACCESS: a dictionary of constants used in SDDL, updated to reflect the target type

All SDDL.ACE objects in the acl attribute have the following attributes:

ace_string: the string contained between the parentheses before parsing

flags: the translated flags indicated in the ace_string. Usually blank.

perms: the translated perms indicated in the ace_string.

ace_type: allow, deny, etc.

object_type: can be the GUID of the object type. Usually blank.

inherited_type: GUID of object types inherited. Usually blank.

trustee: The credential being allowed or denied access. This is either translated from one of the constants or obtained by converting the SID string in the ace_string to an account name.

The new version of SDDLTranslate now handles SDDL strings in the format O: and G: as well as the DACL and SACL formats.

You will need to install Python if you haven't already. I recommend ActivePython. You'll also want to download Tim Golden's wmi module.

In case you missed the links, that's:

http://www.tojo2000.com/SDDL/SDDL.py

and

http://www.tojo2000.com/SDDL/SDDLTranslate.py

Note: I don't have a good replacement for PerlApp that works with Python, so I'll only be releasing the .py files. If you want, you can use py2exe to convert the program to a packaged EXE, but you'll end up with a directory full of files. I do use py2exe, and it works, but I'll leave that as an exercise up to the reader. Shoot me an email if you can't get it to work and I'll help you out if I have time.

SDDL Utilities

UPDATE:  There's a new version of SDDLTranslate.  This one's in Python, and you can find it at 

http://tojo2000.com/blog/2008/07/more-fun-with-sddl-python-style.html

-----------------------------

SDDL (Security Descriptor Definition Language) may not be the most exciting thing in the world for most people, but it's something I've had to delve into because I've been trying to come up with a good solution for scanning a computer for weak service permissions. I've found several systems so far with weak service permissions that could easily allow a malicious user to take over a system. This is a huge problem, but it is not a problem that can be "fixed". Microsoft is not going to release a patch that will eliminate weak service permissions because it is not a bug. Weak service permissions happen when the creator of the service sets the permissions incorrectly on the service, either because he/she fat-fingered it or didn't realize what they were doing.

Trying to find the best way to dump service permissions, I came across SC.exe (Windows XP and Server 2003). It has an option, "sdshow", that will export the service permissions for a particular service. As an example, try typing in the following at a command prompt:

sc sdshow Spooler
(I chose Spooler because it exists on all XP/2003 systems)

You should get an SDDL string like this back:

D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(I cut it a little short, but it's still a valid SDDL string)

The problem with this is that it is a huge pain to figure out what you are reading even if you understand the anatomy of an SDDL string, which most people don't. That's where SDDLTranslate and SvcInfo come in, two utilities I wrote in the process of researching service permissions.

SDDLTranslate
USAGE: SDTranslate SDDL_String [-s]

SDDLTranslate takes an SDDL string as an argument and returns the corresponding access control list in human-readable format. The optional -s switch tells SDDLTranslate that the SDDL string refers to a service (some constants change their meaning when referring to a service). Let's use the SDDL string from earlier as an example:

SvcInfo
USAGE: SvcInfo

SvcInfo basically just automates the task of cycling through your services, running "SC sdshow Service", and then running SDDLTranslate on the result. Running SvcInfo will enumerate all of your services and get the security descriptor for each. Since the result typically spans many pages, it will also create the SvcInfo.log file with the output so you can view it in another program later.


Both SDDLTranslate and SvcInfo were written in Perl using a module I wrote for the purpose, Win32::SDDL. You can find Win32::SDDL on CPAN.


Click here to download SDDLTranslate.
Click here to download the source for SDDLTranslate.

Click here to download SvcInfo.
Click here to download the source for SvcInfo.