Advanced URL ACLing with Windows Vista

  • Article

This article covers some of the advanced topics that I left out of the earlier piece on configuring HTTP for Windows Vista. In addition to having gone over the basics article, it would also be helpful to have at least a little background knowledge about Windows security descriptors.

The standard command for giving a user permission to make reservations in an HTTP namespace looks like

 netsh http add urlacl url=+:8000/ user=MYMACHINE\UserName

All of these commands are going to assume that you're running as an account that has sufficient privilege to give away a piece of the HTTP reservation namespace (by default, such as the elevated Administrator account). Here are three additional options that I didn't talk about before.

1.
There are actually two separate permissions for using a registration (listen=yes/no) and for further delegating pieces of that namespace (delegate=yes/no). The ability to use a registration is GENERIC EXECUTE while the ability to delegate the namespace is GENERIC WRITE. The combination of these permission is represented by GENERIC ALL.
2.
A namespace ACL can represent either a positive permission (Allow ACE) or a negative permission (Deny ACE). Setting a negative permission explicitly denies someone the ability to make use of a reservation or perform delegation. You can create an ACL that both denies the ability to use a registration (listen=no) and denies the ability to delegate within that namespace (delegate=no). Most other uses of this command will result in a positive permission to do something.
3.
There's a new concept for a stable per-service SID in Windows based on the name of the service. This SID is the same across machines so you can actually use it in setup scripts. Using this feature allows you to ACL a namespace to a specific service even if that service has an account that is shared with lots of other services (such as NETWORK SERVICE). These service SIDs look like S-1-5-80 followed by a GUID and show up with a friendly name as NT SERVICE\MyServiceName.

Additionally, netsh allows you to just use SDDL to describe your ACLs, although I'm not sure if you'll ever need to do that for WCF.

Next time: Design Pattern for Building Channel Factories and Listeners