Cook Computing

Bagel Belly Blog mentions rumours of a project to provide Norwich with open-access wifi. All well and good for the people of Norwich but the term "EU money" raised a few of my hackles particularly in light of the current debate over the UK rebate to the EU which has been whipped up by Chirac and Schroeder to divert attention from problems within their own countries. There is no such thing as "EU money". The EU does not generate any wealth. It simply takes money raised by taxation within the member states. It does however give return some of the money in ways which are designed to increase public approval of the "project" and to increase regional dependency on the EU. I fail to see why projects such as free wifi should be funded by anyone other than the people who are going to benefit from it. On a larger scale I also fail to see why taxpayers throughout Europe should fund inefficient French farmers and whatever it is that the Spanish are being funded for (look at this BBC page, its hardly surprising that the Spanish voted for the EU constitution). If the UK has become a more wealthy country since the rebate was agreed, because we don't have a French or German style "social model" economy, that is hardly grounds for arguing that we should subsidise their inefficient economies which they refuse to reform. (I'm not necessarily saying that the "social model" is undesirable - in fact it can produce a better lifestyle in general for as long as it can be funded - but that its hypocritical to expect countries with more efficient and prosperous economies to sustain it).

You have to supply your own mouse and keyboard with a Mac Mini. The following two tips may be of use if you're coming to a Mac for the first time.

If you're using a non-Apple mouse with a Mac Mini, you may need to install the drivers that came with the mouse. I'm using a Microsoft optical mouse and it was barely usable before I installed the drivers.

If you're using a non-Apple UK keyboard you'll be irritated by some of the keys being swapped round, for example " and @. I installed UK.keylayout from Matt Sephton to map the keys to where I expect them to be. I found I could not unselect the British entry in the International - Input Menu settings so I had to select the new layout by clicking on the input menu on the menu bar (it appears as an icon to the left of the sound icon on the menu bar when you have set the "Show input menu in menu bar" option in the Input Menu settings). I also set the "Use one input source in all documents" option so that once chosen the new layout is used for all applications.

I recently took delivery of a new laptop, a Dell Latitude D810. A very nice machine but why do they have to stick those hideous Intel Inside and Designed for Windows XP stickers below the keyboard? Unlike the discount stickers on books which peel off easily, these leave a horrible sticky mess, positioned so that you brush against it every time you use the keyboard. What a clever way of trashing any good feelings you might have about the machine you've just bought. So I now need to find some solvent which will remove the sticky mess without dissolving the paint on the plastic body. Yet more irritation.

A few days ago I had to write some unmanaged C++ code to modify the DCOM limits settings to give anonymous logons the same permissions as the Everyone account (the issues around the limits settings are described in this Microsoft document). Today I thought I'd have a first look at the System.Security classes introduced in Whidbey to see what it would be like writing similar functionality in managed code. The code retrieves the security descriptor from the registry value; creates an ACE for ANONYMOUS LOGON, giving it Local and Remote access permisssions; then either adds to it to the security descriptor's DACL or replaces an existing ACE for the same SID; and finally writes the security descriptor back to the registry. Note that this is experimental code and for reconfiguring the DCOM limits settings it is likely you will need to change more than just the MachineAccessRestriction ACL.

using System;
using Microsoft.Win32;
using System.Security.AccessControl;
using System.Security.Principal;

class Program
{
  const int COM_RIGHTS_EXECUTE  = 1;
  const int COM_RIGHTS_EXECUTE_LOCAL  = 2;
  const int COM_RIGHTS_EXECUTE_REMOTE  = 4;
  const int COM_RIGHTS_ACTIVATE_LOCAL  = 8;
  const int COM_RIGHTS_ACTIVATE_REMOTE = 16;

  static void Main(string[] args)
  {
    byte[] bin = (byte[])Registry.GetValue(
      "HKEY_LOCAL_MACHINE\\Software\\microsoft\\ole", 
      "MachineAccessRestriction", null);
    RawSecurityDescriptor sd = new RawSecurityDescriptor(bin, 0);
    RawAcl dacl = sd.DiscretionaryAcl;
    NTAccount acc = new NTAccount("ANONYMOUS LOGON");
    SecurityIdentifier sid = (SecurityIdentifier)
      acc.Translate(typeof(SecurityIdentifier));
    CommonAce newAce = new CommonAce(AceFlags.None, 
      AceQualifier.AccessAllowed, COM_RIGHTS_EXECUTE 
      | COM_RIGHTS_EXECUTE_LOCAL | COM_RIGHTS_EXECUTE_REMOTE, 
      sid, false, null);
    int i;
    for (i = 0; i < dacl.Count; i++)
    {
      CommonAce ace = (CommonAce)dacl[i];
      if (ace.SecurityIdentifier == sid)
      {
        dacl.RemoveAce(i);
        break;
      }
    }
    dacl.InsertAce(i, newAce);
    sd.DiscretionaryAcl = dacl;
    byte[] outbuff = new byte[sd.BinaryLength];
    sd.GetBinaryForm(outbuff, 0);
    Registry.SetValue(
      "HKEY_LOCAL_MACHINE\\Software\\microsoft\\ole",
      "MachineAccessRestriction", outbuff);
  }
}

There may be a better way of implementing this using the new classes but even this was much nicer to write than the equivalent unmanaged code. When dealing with security on resources such as files, mutexes, registry keys, etc, there are higher level classes such as FileSecurity which are easier to use than the lower-level classes used in the code above.

Eamon O'Tuathail has a summary of Windows Security in .NET v2 and Mark Pustilnik has an MSDN article Manage Access to Windows Objects with ACLs and the .NET Framework.