Fixing rights on registry, since we store a private key inside

aloopkin · Feb 21, 2020 · 78c4fbe · 78c4fbe
1 parent 3094fc6
commit 78c4fbe
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 10 deletions.
diff --git a/WinCertes/Config/RegistryConfig.cs b/WinCertes/Config/RegistryConfig.cs
@@ -37,23 +37,45 @@ public RegistryConfig(bool extra = false)
                     _registryKey += @"\extra";
                     _subKey += @"\extra";
                 }
-                RegistryKey regKey = Registry.LocalMachine.OpenSubKey("SOFTWARE").OpenSubKey("WinCertes", RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.FullControl);
+                RegistryKey regKey = Registry.LocalMachine.OpenSubKey("SOFTWARE").OpenSubKey("WinCertes");
                 RegistrySecurity regSec = regKey.GetAccessControl(AccessControlSections.All);
-                regSec.SetOwner(new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null));
-                regSec.SetAccessRuleProtection(true, false);
-                regKey.SetAccessControl(regSec);
-                RegistryAccessRule adminFull = new RegistryAccessRule(new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null), RegistryRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow);
-                regSec.AddAccessRule(adminFull);
-                adminFull = new RegistryAccessRule(new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), RegistryRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow);
-                regSec.AddAccessRule(adminFull);
-                regKey.SetAccessControl(regSec);
-            }
+                foreach(RegistryAccessRule rule in regSec.GetAccessRules(true, true, typeof(NTAccount))) {
+                    if (rule.IdentityReference.Value==@"BUILTIN\Users")
+                    {
+                        _logger.Debug("Users have rights on Registry entry: Need to fix rights");
+                        fixRights();
+                        break;
+                    }
+                }
+             }
             catch (Exception e)
             {
                 _logger.Warn(e,$"Warning: Could not open/create registry subkey: {e.Message}. We'll try to continue anyway.");
             }
         }
 
+        private void fixRights()
+        {
+            // We have a private key inside the registry, therefore we should ensure only admins have access to it
+            RegistryKey regKey = Registry.LocalMachine.OpenSubKey("SOFTWARE").OpenSubKey("WinCertes", RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.FullControl);
+            RegistrySecurity regSec = regKey.GetAccessControl(AccessControlSections.All);
+            regSec.SetOwner(new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null));
+            regSec.SetAccessRuleProtection(true, false);
+            regKey.SetAccessControl(regSec);
+            RegistryAccessRule adminFull = new RegistryAccessRule(new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null), RegistryRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow);
+            regSec.AddAccessRule(adminFull);
+            adminFull = new RegistryAccessRule(new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), RegistryRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow);
+            regSec.AddAccessRule(adminFull);
+            string domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
+            // If we're joined to a domain, we probably need to give access to domain admins as well
+            if ((domain != null) && (domain.Length > 0))
+            {
+                adminFull = new RegistryAccessRule(new SecurityIdentifier(WellKnownSidType.AccountDomainAdminsSid, null), RegistryRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow);
+                regSec.AddAccessRule(adminFull);
+            }
+            regKey.SetAccessControl(regSec);
+        }
+
         /// <summary>
         /// Reads parameter from configuration as string, null if none
         /// </summary>

diff --git a/WinCertes/WinCertes.csproj b/WinCertes/WinCertes.csproj
@@ -81,6 +81,7 @@
     <Reference Include="System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <HintPath>..\packages\System.Management.Automation.dll.10.0.10586.0\lib\net40\System.Management.Automation.dll</HintPath>
     </Reference>
+    <Reference Include="System.Net" />
     <Reference Include="System.Net.Http, Version=4.1.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
       <HintPath>..\packages\System.Net.Http.4.3.4\lib\net46\System.Net.Http.dll</HintPath>
     </Reference>