Prevent WNetAddConnection2 class which allows prohibited user to access shared folder

1
votes

I had developed C# windows application. OS is Windows 7

Requirement: is to access Network Shared Folder ‘Test’ using code with credentials using WNetAddConnection2 class.

Restriction: is some users has access of this shared folder ‘Test’, but for other user,‘deny’ sharing permission is set.

in code WNetAddConnection2 validates wrong username/password, It will give me error.

For example

‘User A’ from LAN is trying to access Shared folder ‘Test’ using run command, He is not able to access ‘Access is denied’ because he has not permission.

but issue is WNetAddConnection2 class allows ‘User A’ to establish network connection successfully. Infect “WNetAddConnection2 allows all users from domain”. Class is validating access rights.

Code is

private void btnValidate_Click(object sender, EventArgs e)
     {
         bool valid = false;
         try
         {              
             NetworkCredential NC = new NetworkCredential(txtUserName.Text.Trim(), txtPassword.Text.Trim());  

         }
         catch (Exception ex)
         {
             MessageBox.Show(ex.Message.ToString());
         }
     }

public class NetworkConnection : IDisposable
 {
     string _networkName;
     uint dwFlags;
     public NetworkConnection(string networkName, NetworkCredential credentials)
     {
         _networkName = networkName;

         var netResource = new NetResource()
         {
             Scope = ResourceScope.GlobalNetwork,
             ResourceType = ResourceType.Disk,
             DisplayType = ResourceDisplaytype.Share,
             RemoteName = networkName
         };

         var userName = string.IsNullOrEmpty(credentials.Domain)
             ? credentials.UserName
             : string.Format(@"{0}\{1}", credentials.Domain, credentials.UserName);

         var result = WNetAddConnection2(netResource,"","",0x00000008 | 0x00000010);

         if (result != 0)
         {
             string strErrMsg = "";
             if (result == 67)
             {
                 strErrMsg = "The network name cannot be found.";
             }
             if (result == 86)
             {
                 strErrMsg = "Invalid UserName or Password for ProBiz server";
             }
             else if (result == 1219)
             {
                 strErrMsg = "Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed.Close application to Disconnect all previous connections to the server or shared resource and try again.";
             }

             throw new Win32Exception(result, "Error connecting to "+networkName+" remote share.Error Code:"+result.ToString()+"."+strErrMsg);
         }
         else
         {
             MessageBox.Show("Test connection is successful for "+ networkName);
         }
     }

     ~NetworkConnection()
     {
         Dispose(false);
     }

     public void Dispose()
     {
         Dispose(true);
         GC.SuppressFinalize(this);
     }

     protected virtual void Dispose(bool disposing)
     {
         WNetCancelConnection2(_networkName,  1, true  );
         var command = "NET USE  /delete *";
         ExecuteCommand(command, 5000);

     }
     public static int ExecuteCommand(string command, int timeout)
     {
         var processInfo = new ProcessStartInfo("cmd.exe", "/C " + command)
         {
             CreateNoWindow = true,
             UseShellExecute = false,
             WorkingDirectory = "C:\\",
         };

         var process = Process.Start(processInfo);
         process.WaitForExit(timeout);
         var exitCode = process.ExitCode;
         process.Close();
         return exitCode;
     } 

     [DllImport("mpr.dll")]
     private static extern int WNetAddConnection2(NetResource netResource,
         string password, string username, int flags);

     [DllImport("mpr.dll")]
     private static extern int WNetCancelConnection2(string name, int flags,
         bool force);
 }

 [StructLayout(LayoutKind.Sequential)]
 public class NetResource
 {
     public ResourceScope Scope;
     public ResourceType ResourceType;
     public ResourceDisplaytype DisplayType;
     public int Usage;
     public string LocalName;
     public string RemoteName;
     public string Comment;
     public string Provider;
 }

 public enum ResourceScope : int
 {
     Connected = 1,
     GlobalNetwork,
     Remembered,
     Recent,
     Context
 };

 public enum ResourceType : int
 {
     Any = 0,
     Disk = 1,
     Print = 2,
     Reserved = 8,
 }

 public enum ResourceDisplaytype : int
 {
     Generic = 0x0,
     Domain = 0x01,
     Server = 0x02,
     Share = 0x03,
     File = 0x04,
     Group = 0x05,
     Network = 0x06,
     Root = 0x07,
     Shareadmin = 0x08,
     Directory = 0x09,
     Tree = 0x0a,
     Ndscontainer = 0x0b
 }
2
c#windowsnetworkingdirectoryshared
If you're connecting to the share with a specific username and password, then it doesn't matter what user account is logged in to the local computer. If you want access to be based on who is logged in to the local computer, don't provide a username and password in the call to WNetAddConnection2.Harry Johnston
@Harry Now,I am not passing credential in code, WNetAddConnection2 prompt me and shared folder connection successful, when I logged as ‘User A’ which hasn’t access , WNetAddConnection2 allows connection with ‘User A’’s credentials.Miki Shah
Which operating system are you trying this on?John Willemse
...and can you post the code in which you build the NETRESOURCE struct and the declaration of WNetAddConnection2?John Willemse
There's no such thing as "deny sharing permission", so I suspect that you've set a deny access control entry on the folder that is being shared. This will not prevent a user from connecting to the share. Whether or not you can connect to a share is determined by the share permissions, not by the permissions on the folder being shared.Harry Johnston

2 Answers

0
votes

By design, connecting to a share requires access to the share - it does not require access to the root directory of the share.

Opening the share via the Run box opens the root directory of the share, so it requires at least read access to the directory as well as to the share. The WNetAddConnection2() API, by comparison only requires access to the share.

It has to work this way, because it is sometimes desirable to give someone access to only certain subdirectories, but not the root directory. If connecting to the share required access to the root directory this would not be possible.

After connecting to the share, you can test access to the root directory by attempting to enumerate the files. If you get an access denied exception, the user does not have access.

-3
votes

I had the same problem when I used to deploy my C# project in IIS 7.5, but it's amazing when I do to removed the logout procedure of my code. . .

What I mean is removed function LogoutFromShare(ip,folder) server directory.

I use ony this one LoginToOtherPC(ip, usr, pwd, folder).