Class WindowsSecurityHelper

Provides helper methods related to Windows security API.

Inheritance
Object
WindowsSecurityHelper
Inherited Members
Namespace: Nevatech.Vsb.Repository.Security
Assembly: Nevatech.Vsb.Repository.dll
Syntax
public static class WindowsSecurityHelper

Fields

LocalServiceAccountName

Localized name of the Local Service system account.

Declaration
public static readonly string LocalServiceAccountName
Field Value
Type Description
String

LocalSystemAccountName

Localized name of the Local System system account.

Declaration
public static readonly string LocalSystemAccountName
Field Value
Type Description
String

NetworkServiceAccountName

Localized name of the Network Service system account.

Declaration
public static readonly string NetworkServiceAccountName
Field Value
Type Description
String

Methods

Canonicalize(ObjectSecurity)

Ensures that provided Access Control List (ACL) is in canonical order.

Declaration
public static void Canonicalize(this ObjectSecurity accessControlList)
Parameters
Type Name Description
ObjectSecurity accessControlList

Access Control List (ACE) that needs to be sorted in canonical order.
Remarks

A canonical ACL must have ACEs sorted according to the following order:

  1. Access-denied on the object
  2. Access-denied on a child or property
  3. Access-allowed on the object
  4. Access-allowed on a child or property
  5. All inherited ACEs

GetDomainName()

Returns domain name that current machine is joined to.

Declaration
public static string GetDomainName()
Returns
Type Description
String

Domain name that current machine is joined to, or Null, if machine is not joined to a domain.

GetServicePrincipalName()

Returns Service Principal Name (SPN) corresponding to the current host.

Declaration
public static string GetServicePrincipalName()
Returns
Type Description
String

Service Principal Name (SPN) corresponding to the current host.

GetUserPrincipalName(String)

Returns User Principal Name (UPN) corresponding to provided user's SAM name.

Declaration
public static string GetUserPrincipalName(string domainAndUserName)
Parameters
Type Name Description
String domainAndUserName

Domain and user name (formatted like 'domain\username') of the user whose UPN needs to be retrieved.
Returns
Type Description
String

User Principal Name (UPN) corresponding to provided user's SAM name.

IsLocal(String)

Checks provided host name, machine name, or IP address, and returns flag indicating that, it belongs to the local machine.

Declaration
public static bool IsLocal(string serverNameOrAddress)
Parameters
Type Name Description
String serverNameOrAddress

Host name, machine name, or IP address that needs to be validated.
Returns
Type Description
Boolean

True, if provided address belongs to the local machine. False, otherwise.

LogOnUser(String, String)

Attempts to log a user on to the local computer using provided credentials and returns user Windows identity.

Declaration
public static WindowsIdentity LogOnUser(string userName, string password)
Parameters
Type Name Description
String userName

Name of the user account to log on to.
String password

String that specifies the plaintext password for the user account specified by userName.
Returns
Type Description
WindowsIdentity

Windows identity of the logged on user.

LogOnUser(String, String, String)

Attempts to log a user on to the local computer using provided local or domain credentials and returns user Windows identity.

Declaration
public static WindowsIdentity LogOnUser(string domainName, string userName, string password)
Parameters
Type Name Description
String domainName

Name of the domain or server whose account database contains the userName account. If this parameter is NULL, the user name must be specified in UPN format. If this parameter is ".", the function validates the account by using only the local account database.
String userName

Name of the user account to log on to. If you use the user principal name (UPN) format (like "user@DNS_domain_name"), the domainName parameter must be NULL.
String password

String that specifies the plain-text password for the user account specified by userName.
Returns
Type Description
WindowsIdentity

Windows identity of the logged on user.

LookupAccountName(String)

Returns Sid corresponding to provided Windows user account or Windows group registered on the local machine or specified domain.

Declaration
public static SecurityIdentifier LookupAccountName(string accountOrGroupName)
Parameters
Type Name Description
String accountOrGroupName

String that specifies the account name. Use a fully qualified string in the domain_name\user_name format to ensure that method finds the account in the desired domain.
Returns
Type Description
SecurityIdentifier

Sid structure that corresponds to the account name pointed to by the accountOrGroupName parameter.

LookupAccountName(String, String, out String, out SidUsageType)

Returns Sid corresponding to provided Windows user account or Windows group registered on the local machine or specified domain.

Declaration
public static SecurityIdentifier LookupAccountName(string accountOrGroupName, string systemName, out string domainName, out SidUsageType sidUsage)
Parameters
Type Name Description
String accountOrGroupName

String that specifies the account name. Use a fully qualified string in the domain_name\user_name format to ensure that method finds the account in the desired domain.
String systemName

String that specifies the name of the system. This string can be the name of a remote computer. If this string is NULL, the account name translation begins on the local system. If the name cannot be resolved on the local system, this function will try to resolve the name using domain controllers trusted by the local system. Generally, specify system name only when the account is in an untrusted domain and the name of a computer in that domain is known.
String domainName

Name of the domain where the account name is found. For computers that are not joined to a domain, this is the computer name.
SidUsageType sidUsage

SidUsageType enumerated type that indicates the type of the account when the function returns.
Returns
Type Description
SecurityIdentifier

Sid structure that corresponds to the account name pointed to by the accountOrGroupName parameter.

LookupApplicationAccountName(String)

Returns application pool identity Sid corresponding to provided IIS application pool name.

Declaration
public static SecurityIdentifier LookupApplicationAccountName(string applicationPoolName)
Parameters
Type Name Description
String applicationPoolName

IIS application pool name which application identity Sid needs to be retrieved.
Returns
Type Description
SecurityIdentifier

Sid structure of the application pool identity that corresponds to the pool name pointed to by the applicationPoolName parameter.

SetCertificatePermission(X509Certificate2, SecurityIdentifier)

Grants read-only permission to private key of the provided X.509 certificate to the specified Windows account.

Declaration
public static void SetCertificatePermission(X509Certificate2 certificate, SecurityIdentifier account)
Parameters
Type Name Description
X509Certificate2 certificate

X.509 certificate stored in the machine certificate store to grant access to.
SecurityIdentifier account

Windows system or user account security identifier which needs access to provided X.509 certificate.
Remarks

To get SID of the specific used account use LookupAccountName(String) method.

To get SID of the system account use the following code snippets: new SecurityIdentifier(WellKnownSidType.LocalServiceSid, null), new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null).

TranslateSid(String)

Translate the provided security identifier in SDDL form to Windows group or user account name.

Declaration
public static string TranslateSid(string sid)
Parameters
Type Name Description
String sid

Security identifier that needs to be translated.
Returns
Type Description
String

Windows group or account nae corresponding to the provided identifier.