Using VBScript to convert binary SDDL to a usable format

[NiceYak]

I'm working on a script that will be used at my place of employment for base-lining various permissions on our 2003 servers. It was great up until I got to DCOM and from there its gotten sticky. Although I am aware of the security policy settings that provide system wide DCOM access protection, I am trying to find the best way to use VBScript to figure out what the default DCOM launch and access permissions are (essentially the equivalent of what would be returned by going through the dcomcnfg.exe utility). I've found that these permissions are stored in the HKLM\SOFTWARE\Microsoft\Ole\DefaultAccessPermission and DefaultLaunchPermission registry values but they are REG_BINARY values that only return the binary SDDL. I've been busting my brain (and Google) trying to figure out if it’s even possible to decipher a binary SDDL using VBScript. Any feedback on this would be GREATLY appreciated.

 

[tsuji]

To read binary from the registry reg_binary, you use getbinaryvalue of stdregprov through wmi.

http://technet.microsoft.com/en-us/library/bb978597.aspx

It returns array with entries each storing the byte value.

 

[NiceYak]

After busting my brain over this problem for a while longer I've discovered a couple things:

1- The REG_BINARY values I referenced in my original thread actually store the actual security descriptor object in binary form (not just a binary encoded SDDL statement)

2- VBScript does not have the capability to interface with or create security descriptor objects

My Solution: Using VB.NET, I wrote a class that inherits the ObjectSecurity class. From there I am able to write custom functions that take the registry path as a parameter, and set the value of the ObjectSecurity object by reading the binary data from the registry and passing it into the SetSecurityDescriptorBinaryForm function. From there I can call the GetSecurityDescriptorSddlForm function to get the actual SDDL string. Now using VBScript I can register and un-register my DLL as needed and utilize my custom functions to handle the translation. I was hoping to not have to step outside of VBScript but its an acceptable solution at this point.

 

[tsuji]

>1- The REG_BINARY values I referenced in my original thread actually store the actual security descriptor object in binary form (not just a binary encoded SDDL statement)[/i]
So? what is the problem.

>2- VBScript does not have the capability to interface with or create security descriptor objects[/i]
Incorrect.

 

[NiceYak]

Based on the stuff I read (and what I gathered from the MSDN website), I didn't think it was possible with VBScript to create a security descriptor object, assign its value using the REG_BINARY data and then dump the SDDL as a string. Everything I found, at the MSDN website at least, was for Vista or Server 2008 or could only be exposed using .NET. As I said above, I was able to do it using VB.NET but if you know how to do it using VBScript, I would love to know!

 

[tsuji]

I have no intention to play with wording game. If you say it cannot do such and such, it implies you know the boundary of it (vbs) can do. It is very tempting to make such kind of statement indeed. Nothing personal.

 

[NiceYak]

I see your point...yes I probably should have stuck with saying that I don't know whether or not is possible to accomplish what I am trying to with VBScript. On the MSDN website I found a method for doing what I want to but they are only supported on Windows Vista and Server 2008 so I assumed that there wasn't an equivilant that would work for XP or Server 2003. At any rate, I would still like to know if anyone knows of I way I can do this without having to step outside of VBScript.