本地安全策略的配置大多数是通过界面配置或者命令行配置,使用Windows提供的API比较吃力且不讨好。但是存在即合理,既然存在可以改变本地安全策略的API,那么如果不使用岂不是暴殄天物。所以在这里讲解一些如何使用这些API来修改本地安全策略
本地安全策略有好多,具体查看可以通过
控制面板-》管理工具-》本地安全策略来进行查看
英文版就是:
Control Panel->Adminitratitive tools->Local Security Policy
当然了有的版本没有,我这里使用的是企业版,目前我知道的是家庭中文版没有。
接下来就是介绍一些数据结构了。搞技术的都知道,Linux是一切资源皆文件,Windows就是一切资源皆对象,顾名思义就是C++中的类一样的存在。
因为这里修改的是高级审核策略,所以只着重介绍相关的,其他的可以重MSDN上查找,当然了这个很费眼。
以下三个数据结构就是要用的。稍微研究以下就知道,这个对应的就是安全策略中的某一个一级安全策略。具体信息可以查文档,这里就不详细介绍了
POLICY_INFORMATION_CLASS
typedef enum _POLICY_INFORMATION_CLASS {
PolicyAuditLogInformation,
PolicyAuditEventsInformation,
PolicyPrimaryDomainInformation,
PolicyPdAccountInformation,
PolicyAccountDomainInformation,
PolicyLsaServerRoleInformation,
PolicyReplicaSourceInformation,
PolicyDefaultQuotaInformation,
PolicyModificationInformation,
PolicyAuditFullSetInformation,
PolicyAuditFullQueryInformation,
PolicyDnsDomainInformation,
PolicyDnsDomainInformationInt,
PolicyLocalAccountDomainInformation,
PolicyMachineAccountInformation,
PolicyLastEntry
} POLICY_INFORMATION_CLASS, *PPOLICY_INFORMATION_CLASS;
POLICY_AUDIT_EVENTS_INFO
typedef struct _POLICY_AUDIT_EVENTS_INFO {
BOOLEAN AuditingMode;
PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions;
ULONG MaximumAuditEventCount;
} POLICY_AUDIT_EVENTS_INFO, *PPOLICY_AUDIT_EVENTS_INFO;
POLICY_AUDIT_EVENT_TYPE
typedef enum _POLICY_AUDIT_EVENT_TYPE {
AuditCategorySystem,
AuditCategoryLogon,
AuditCategoryObjectAccess,
AuditCategoryPrivilegeUse,
AuditCategoryDetailedTracking,
AuditCategoryPolicyChange,
AuditCategoryAccountManagement,
AuditCategoryDirectoryServiceAccess,
AuditCategoryAccountLogon
} POLICY_AUDIT_EVENT_TYPE, *PPOLICY_AUDIT_EVENT_TYPE;
接下来就是几个用得着的API函数
操作之前需要使用LsaOpenPolicy打开句柄;LsaQueryInformationPolicy这个函数用来枚举操作的计算机的策略;第三个就是修改的函数。每个参数的意义很多,如果想要拓展的学一定要去看官方文档。
LsaOpenPolicy
NTSTATUS LsaOpenPolicy(
PLSA_UNICODE_STRING SystemName,
PLSA_OBJECT_ATTRIBUTES ObjectAttributes,
ACCESS_MASK DesiredAccess,
PLSA_HANDLE PolicyHandle
);
LsaQueryInformationPolicy function
NTSTATUS LsaQueryInformationPolicy(
LSA_HANDLE PolicyHandle,
POLICY_INFORMATION_CLASS InformationClass,
PVOID *Buffer
);
LsaSetInformationPolicy function
NTSTATUS LsaSetInformationPolicy(
LSA_HANDLE PolicyHandle,
POLICY_INFORMATION_CLASS InformationClass,
PVOID Buffer
);
正题就是如何修改,这里由于版本的不同,理论上10个安全策略,但是只有9个。但是不影响。代码实测在VS Code上。需要管理员权限
#include "stdio.h"
#include "stdlib.h"
#include "windows.h"
#include "tchar.h"
#include "Winreg.h"
#include "shlwapi.h"
#include "Ntsecapi.h"
//#include "ntifs.h"
#include <iostream>
#include <string>
#include <vector>
#include <sddl.h>
#include <cstdlib>
using namespace std;
LSA_HANDLE GetHandle();
BOOL Get_Sec_AuditSetting();
void SET_Audit_Policy(POLICY_AUDIT_EVENT_TYPE eventtype,POLICY_AUDIT_EVENT_OPTIONS eventoption);
string GET_AUDIT_STR(string s,PPOLICY_AUDIT_EVENTS_INFO pInfo,int i);
int _tmain(int argc, _TCHAR* argv[])
{
//string result;
Get_Sec_AuditSetting();
while(1)
{
cout<<"Please choose one of the Audit Policies to set:\n";
cout<<"1: Account Logon\n";
cout<<"2: Account Management\n";
cout<<"3: Detailed Tracking\n";
cout<<"4: DS Access\n";
cout<<"5: Logon/Logoff\n";
cout<<"6: Object Access\n";
cout<<"7: Policy Change\n";
cout<<"8: Privilege Use\n";
cout<<"9: System\n";
cout<<"0: exit\n";
cout<<"Input the numboer of your chioce:";
int EventType,EventOption;
cin>>EventType;
if(EventType == 0)
{
break;
}
cout<<"Please choose the configuration you want to set:\n";
cout<<"1: Success\n";
cout<<"2: Failure\n";
cin>>EventOption;
POLICY_AUDIT_EVENT_TYPE eventtype;
POLICY_AUDIT_EVENT_OPTIONS eventoption = POLICY_AUDIT_EVENT_SUCCESS;
if(EventOption == 1)
{
eventoption = POLICY_AUDIT_EVENT_SUCCESS;
}
else
{
eventoption = POLICY_AUDIT_EVENT_FAILURE;
}
switch (EventType)
{
case 1:
eventtype = AuditCategoryAccountLogon;
break;
case 2:
eventtype = AuditCategoryAccountManagement;
break;
case 3:
eventtype = AuditCategoryDetailedTracking;
break;
case 4:
eventtype = AuditCategoryDirectoryServiceAccess;
break;
case 5:
eventtype = AuditCategoryLogon;
break;
case 6:
eventtype = AuditCategoryObjectAccess;
break;
case 7:
eventtype = AuditCategoryPolicyChange;
break;
case 8:
eventtype = AuditCategoryPrivilegeUse;
break;
case 9:
eventtype = AuditCategorySystem;
break;
}
SET_Audit_Policy(eventtype,eventoption);
}
cout<<"After setting\n";
Get_Sec_AuditSetting();
system("pause");
return 0;
}
LSA_HANDLE GetHandle()
{
LSA_HANDLE myPolicyHandle;
LSA_OBJECT_ATTRIBUTES ObjectAttributes;
PVOID *Buffer;
ZeroMemory(&ObjectAttributes, sizeof(ObjectAttributes));
NTSTATUS tmp1 = LsaOpenPolicy(NULL,&ObjectAttributes,POLICY_ALL_ACCESS,&myPolicyHandle);
if(tmp1 == ERROR_SUCCESS){
printf("get handle successfully!\n");
return myPolicyHandle;
}
printf("failed to get handle!\n");
return NULL;
}
string GET_AUDIT_STR(string x,PPOLICY_AUDIT_EVENTS_INFO pInfo,int i)
{
string str;
string result;
if(POLICY_AUDIT_EVENT_SUCCESS&pInfo->EventAuditingOptions[i]){
str+="Success";
}
if(POLICY_AUDIT_EVENT_FAILURE&pInfo->EventAuditingOptions[i]){
str+=str.size()==0?"Failure":"| Failure";
}
if(str.size() == 0){
str+="No Audit";
}
//str+="\n";
result = x+str;
return result;
}
BOOL Get_Sec_AuditSetting()
{
LSA_HANDLE handle = GetHandle();
PPOLICY_AUDIT_EVENTS_INFO pInfo;
string tmp;
if(handle){
NTSTATUS status = LsaQueryInformationPolicy(handle,PolicyAuditEventsInformation,(void **)&pInfo);
//cout<<"MaximumAuditEventCount:"<<pInfo->MaximumAuditEventCount<<endl;
if(status == CMC_STATUS_SUCCESS && pInfo->AuditingMode){
for(int i =0;i<pInfo->MaximumAuditEventCount;i++)
{
switch(i)
{
case AuditCategoryAccountLogon:
tmp = GET_AUDIT_STR("Audit Account Logon: ",pInfo,i);
cout<<tmp<<endl;
break;
case AuditCategoryAccountManagement:
tmp = GET_AUDIT_STR("Audit Account Management: ",pInfo,i);
cout<<tmp<<endl;
break;
case AuditCategoryDetailedTracking:
tmp = GET_AUDIT_STR("Audit Detailed Tracking: ",pInfo,i);
cout<<tmp<<endl;
break;
case AuditCategoryDirectoryServiceAccess:
tmp = GET_AUDIT_STR("Audit CategoryDirectory Service Access: ",pInfo,i);
cout<<tmp<<endl;
break;
case AuditCategoryLogon:
tmp = GET_AUDIT_STR("Audit Logon/Logoff: ",pInfo,i);
cout<<tmp<<endl;
break;
case AuditCategoryObjectAccess:
tmp = GET_AUDIT_STR("Audit Object Access: ",pInfo,i);
cout<<tmp<<endl;
case AuditCategoryPolicyChange:
tmp = GET_AUDIT_STR("Audit Policy Change: ",pInfo,i);
cout<<tmp<<endl;
break;
case AuditCategoryPrivilegeUse:
tmp = GET_AUDIT_STR("Audit Privilege Use: ",pInfo,i);
cout<<tmp<<endl;
break;
case AuditCategorySystem:
tmp = GET_AUDIT_STR("Audit System: ",pInfo,i);
cout<<tmp<<endl;
break;
default:
break;
}
}
}
else{
printf("STATUES ERROR %u",status);
}
}
return true;
}
void SET_Audit_Policy(POLICY_AUDIT_EVENT_TYPE eventtype,POLICY_AUDIT_EVENT_OPTIONS eventoption)
{
LSA_HANDLE handle = GetHandle();
POLICY_AUDIT_EVENTS_INFO *AuditEvent ;
NTSTATUS status;
status = LsaQueryInformationPolicy(handle,PolicyAuditEventsInformation,(void **)&AuditEvent);
//AuditEvent->AuditingMode = true;
AuditEvent->EventAuditingOptions[eventtype] = eventoption;
//cout<<"!!!"<<endl;
status = LsaSetInformationPolicy(handle,PolicyAuditEventsInformation,(void *)AuditEvent);
if(status == CMC_STATUS_SUCCESS )
{
cout<<"Set successfully!\n";
}
else
{
cout<<"Failed to set!\n";
}
}
运行结果