def user_rights_policy(self, policy):
try:
actual_users = []
lsa_policy = win32security.LsaOpenPolicy("", 25)
users = win32security.LsaEnumerateAccountsWithUserRight(lsa_policy, policy["right_type"])
for val in users:
actual_users.append(win32security.LookupAccountSid(None, val)[0])
file_users = policy["value_data"]
if file_users == '':
if len(actual_users) == 0:
return {"status": 0, "msg": f"Passed"}
else:
return {"status": 1, "msg": f"There are users who are granted this permission"}
file_users = file_users.replace("'", "").replace('"', '').split('&&')
file_users = [user.strip() for user in file_users]
for user in file_users:
if user not in actual_users:
return {"status": 1, "msg": f"User {user} not granted permission"}
for user in actual_users:
if user not in file_users:
return {"status": 1, "msg": f"User {user} should not be granted permission"}
return {"status": 0, "msg": f"Passed"}
except Exception as e:
print(e)
return {"status": -1, "msg": f"To be done Acces Denied User Rights"}
def user_rights_policy(self, policy):
actual_users = []
granted = []
deleted = []
for val in win32security.LsaEnumerateAccountsWithUserRight(win32security.LsaOpenPolicy("", 25), policy["right_type"]):
actual_users.append(win32security.LookupAccountSid(None, val)[0])
file_users = policy["value_data"]
if (file_users == '' or file_users == "Undefined") and len(actual_users) != 0:
for user in actual_users:
try:
win32security.LsaRemoveAccountRights(win32security.LsaOpenPolicy("", 25), win32security.LookupAccountName(None, user)[0], 0, [policy["right_type"]])
deleted.append(user)
except Exception as e:
continue
return {"status": 0, "msg": {"granted": granted, "deleted": deleted}}
file_users = file_users.replace("'", "").replace('"', '').split('&&')
file_users = [user.strip() for user in file_users]
for user in file_users:
try:
if user not in actual_users:
win32security.LsaAddAccountRights(win32security.LsaOpenPolicy("", 25), win32security.LookupAccountName(None, user)[0], [policy["right_type"]])
granted.append(user)
except Exception as e:
continue
for user in actual_users:
try:
if user not in file_users:
win32security.LsaRemoveAccountRights(win32security.LsaOpenPolicy("", 25), win32security.LookupAccountName(None, user)[0], 0, [policy["right_type"]])
deleted.append(user)
except Exception as e:
continue
return {"status": 0, "msg": {"granted": granted, "deleted": deleted}}
import win32security, win32file, win32api, ntsecuritycon, win32con
from security_enums import TRUSTEE_TYPE, TRUSTEE_FORM, ACE_FLAGS, ACCESS_MODE
new_privs = (
(win32security.LookupPrivilegeValue('', ntsecuritycon.SE_SECURITY_NAME),
win32con.SE_PRIVILEGE_ENABLED),
(win32security.LookupPrivilegeValue(
'', ntsecuritycon.SE_CREATE_PERMANENT_NAME),
win32con.SE_PRIVILEGE_ENABLED),
(win32security.LookupPrivilegeValue('', 'SeEnableDelegationPrivilege'),
win32con.SE_PRIVILEGE_ENABLED) ##doesn't seem to be in ntsecuritycon.py ?
)
ph = win32api.GetCurrentProcess()
th = win32security.OpenProcessToken(
ph, win32security.TOKEN_ALL_ACCESS) ##win32con.TOKEN_ADJUST_PRIVILEGES)
win32security.AdjustTokenPrivileges(th, 0, new_privs)
policy_handle = win32security.GetPolicyHandle('',
win32security.POLICY_ALL_ACCESS)
sidlist = win32security.LsaEnumerateAccountsWithUserRight(
policy_handle, ntsecuritycon.SE_RESTORE_NAME)
for sid in sidlist:
print win32security.LookupAccountSid('', sid)
win32security.LsaClose(policy_handle)