diff --git a/WinCertes/Config/RegistryConfig.cs b/WinCertes/Config/RegistryConfig.cs
index b99971c..359c47a 100644
--- a/WinCertes/Config/RegistryConfig.cs
+++ b/WinCertes/Config/RegistryConfig.cs
@@ -37,23 +37,45 @@ public RegistryConfig(bool extra = false)
_registryKey += @"\extra";
_subKey += @"\extra";
}
- RegistryKey regKey = Registry.LocalMachine.OpenSubKey("SOFTWARE").OpenSubKey("WinCertes", RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.FullControl);
+ RegistryKey regKey = Registry.LocalMachine.OpenSubKey("SOFTWARE").OpenSubKey("WinCertes");
RegistrySecurity regSec = regKey.GetAccessControl(AccessControlSections.All);
- regSec.SetOwner(new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null));
- regSec.SetAccessRuleProtection(true, false);
- regKey.SetAccessControl(regSec);
- RegistryAccessRule adminFull = new RegistryAccessRule(new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null), RegistryRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow);
- regSec.AddAccessRule(adminFull);
- adminFull = new RegistryAccessRule(new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), RegistryRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow);
- regSec.AddAccessRule(adminFull);
- regKey.SetAccessControl(regSec);
- }
+ foreach(RegistryAccessRule rule in regSec.GetAccessRules(true, true, typeof(NTAccount))) {
+ if (rule.IdentityReference.Value==@"BUILTIN\Users")
+ {
+ _logger.Debug("Users have rights on Registry entry: Need to fix rights");
+ fixRights();
+ break;
+ }
+ }
+ }
catch (Exception e)
{
_logger.Warn(e,$"Warning: Could not open/create registry subkey: {e.Message}. We'll try to continue anyway.");
}
}
+ private void fixRights()
+ {
+ // We have a private key inside the registry, therefore we should ensure only admins have access to it
+ RegistryKey regKey = Registry.LocalMachine.OpenSubKey("SOFTWARE").OpenSubKey("WinCertes", RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.FullControl);
+ RegistrySecurity regSec = regKey.GetAccessControl(AccessControlSections.All);
+ regSec.SetOwner(new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null));
+ regSec.SetAccessRuleProtection(true, false);
+ regKey.SetAccessControl(regSec);
+ RegistryAccessRule adminFull = new RegistryAccessRule(new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null), RegistryRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow);
+ regSec.AddAccessRule(adminFull);
+ adminFull = new RegistryAccessRule(new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), RegistryRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow);
+ regSec.AddAccessRule(adminFull);
+ string domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
+ // If we're joined to a domain, we probably need to give access to domain admins as well
+ if ((domain != null) && (domain.Length > 0))
+ {
+ adminFull = new RegistryAccessRule(new SecurityIdentifier(WellKnownSidType.AccountDomainAdminsSid, null), RegistryRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow);
+ regSec.AddAccessRule(adminFull);
+ }
+ regKey.SetAccessControl(regSec);
+ }
+
///
/// Reads parameter from configuration as string, null if none
///
diff --git a/WinCertes/WinCertes.csproj b/WinCertes/WinCertes.csproj
index 7438ee0..0ee48c3 100644
--- a/WinCertes/WinCertes.csproj
+++ b/WinCertes/WinCertes.csproj
@@ -81,6 +81,7 @@
..\packages\System.Management.Automation.dll.10.0.10586.0\lib\net40\System.Management.Automation.dll
+
..\packages\System.Net.Http.4.3.4\lib\net46\System.Net.Http.dll