restrict the use of a filter driver for user, group

makrurisan_makkeln · March 21, 2018, 5:58am

Is it possible and how to restrict the use of a driver for a specific user or group?

makrurisan_makkeln · March 21, 2018, 6:17am

It means restrict functions.
I want that specific functions in the wmi interface are allowed e.g. for admins only.

Doron_Holan · March 21, 2018, 10:21am

Lucky for you wmi is restricted to admin only already.

Bent from my phone

From: xxxxx@lists.osr.com on behalf of xxxxx@x-publisher.com
Sent: Wednesday, March 21, 2018 3:17:15 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] restrict the use of a filter driver for user, group

It means restrict functions.
I want that specific functions in the wmi interface are allowed e.g. for admins only.

—
NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>

makrurisan_makkeln · March 21, 2018, 11:30am

Does this also means that I need a second interface if I want to do it more specific?

Doron_Holan · March 21, 2018, 11:37am

I don’t understand the question. Do you mean a second wmi interface or something else like a device interface? Or different IOCTLs handled by the same device interface require different rights?

-----Original Message-----
From: xxxxx@lists.osr.com On Behalf Of xxxxx@x-publisher.com
Sent: Wednesday, March 21, 2018 8:30 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] restrict the use of a filter driver for user, group

Does this also means that I need a second interface if I want to do it more specific?

—
NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>

makrurisan_makkeln · March 21, 2018, 12:37pm

I asked for wanting to give different rights on different functions.
To set the configuration in my filter driver it is ok to do it under admin but I have also function which the user can call each time he wants over an user app.
Additionally if the user is logged as an admin I want automatically disable all the function per default in the driver. Is this possible?

makrurisan_makkeln · March 21, 2018, 12:41pm

Or different IOCTLs handled by the same device interface require different rights?
yes.
Or more generally what is possible with rights in the driver. I searched in the web but couldnt find something.

Doron_Holan · March 21, 2018, 12:47pm

The simplest way to do this for IOCTLs is

assign an SDDL string that requires admin for READ access. This way, the io manager will perform the check and enforcement for you
in handling the create irp, see if READ access is being requested. If so, the user must be admin
define your admin only IOCTLs as requiring read access (not FILE_ANY_ACCESS)

You can replace write with read if you want, or use write for a different user group check.

d

-----Original Message-----
From: xxxxx@lists.osr.com On Behalf Of xxxxx@x-publisher.com
Sent: Wednesday, March 21, 2018 9:41 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] restrict the use of a filter driver for user, group

Or different IOCTLs handled by the same device interface require different rights?
yes.
Or more generally what is possible with rights in the driver. I searched in the web but couldnt find something.

—
NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>

Don_Burn · March 21, 2018, 12:58pm

First really ask yourself why you are inventing your own security model?
I’ve rarely seen any reason for it. If you want to know in theory what you
can do, go look at OSR’s explanation of Windows Security from almost 20
years ago at http://www.osronline.com/article.cfm?article=56

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@x-publisher.com
Sent: Wednesday, March 21, 2018 12:41 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] restrict the use of a filter driver for user, group

Or different IOCTLs handled by the same device interface require different
rights?
yes.
Or more generally what is possible with rights in the driver. I searched in
the web but couldnt find something.

—
NTDEV is sponsored by OSR

Visit the list online at:
http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>

makrurisan_makkeln · March 22, 2018, 4:03am

Can I do it in the following way:

In my filter driver I create a control device
Before I create the device I call

WdfDeviceInitAssignName
WdfDeviceInitAssignSDDLString
and after it I create a symbolic name with
WdfDeviceCreateSymbolicLink
Is this right?
a second question:
Can I create the control device from DriverEntry or should I create it inside Add control device and check it if it is already created?