Windows – How does URL reservation actually work in Windows, particularly the ACLs

access-control-listSecuritywindows

I'm a .NET developer working on a project that contains multiple WCF services. Some automated tests try to host these services, but depending on whether I don't run the test with administrative privileges, those tests fail with the following error:

System.ServiceModel.AddressAccessDeniedException : HTTP could not register 
URL http://+:45566/SomeService/. Your process does not have access rights to this namespace 
(see http://go.microsoft.com/fwlink/?LinkId=70353 for details).
  ----> System.Net.HttpListenerException : Access is denied

Following the provided link, it appears I have to give myself (normal domain user) some sort of access right using the netsh command as follows:

netsh http add urlacl url=http://+:45566/SomeService user=DOMAIN\me

Unforunately, there seems to be no way (that I can find) to use wildcards for the port or the relative URL parts, in order to grant myself access to everything on the localhost for example.

Hence my question: what the heck is this ACL, and can I find it in a file or something in order to manipulate it more easily?

Even better: since the local administrator account seems to have access rights by default, could I somehow tell whatever system is behind this to just shut up and let me do my work?

Best Answer

Each URL access control list (ACL) reserves a portion of the HTTP URL namespace for a particular group of users. The reservation gives those users the right to create services that listen on that portion of the namespace. See https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/configuring-http-and-https for further information on namespace reservations.

You can find and manipulate all the defined URL ACLs in the registry.

If you have added a URL ACL using the command:

netsh http add urlacl url=http://+:45566/SomeService user=DOMAIN\me

You can query the registry entry for this URL ACL with:

reg query HKLM\SYSTEM\ControlSet001\Services\HTTP\Parameters\UrlAclInfo
    /v 'http://+:45566/SomeService/'

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HTTP\Parameters\UrlAclInfo
http://+:45566/SomeService/
REG_BINARY
010004800000000000000000000000001400000002002C000100000000002400000000200105
00000000000515000000B262BFF6EAC6403B59D621B1360C0000

The value of the registry key is a binary security descriptor. You can convert the binary SD to an SDDL string using a helper method of the WMI class Win32_SecurityDescriptorHelper

([wmiclass]"Win32_SecurityDescriptorHelper").BinarySDToSDDL(
[System.Runtime.Remoting.Metadata.W3cXsd2001.SoapHexBinary]::Parse(
"010004800000000000000000000000001400000002002C00010000000000240000
000020010500000000000515000000B262BFF6EAC6403B59D621B1360C0000")
.Value).SDDL

D:(A;;GX;;;S-1-5-21-4139737778-994100970-2971784793-3126)

And convert the SDDL string back to binary SD:

(New-Object System.Runtime.Remoting.Metadata.W3cXsd2001.SoapHexBinary
(,([wmiclass]"Win32_SecurityDescriptorHelper").SDDLToBinarySD(
"D:(A;;GX;;;S-1-5-21-4139737778-994100970-2971784793-3126)").BinarySD)).ToString()

010004800000000000000000000000001400000002002C000100000000002400000000200105000000
00000515000000B262BFF6EAC6403B59D621B1360C0000

You can add another URL ACL to the registry:

reg add HKLM\SYSTEM\ControlSet001\Services\HTTP\Parameters\UrlAclInfo \
    /v 'http://+:45567/AnotherService/' /t REG_BINARY \
    /d 010004800000000000000000000000001400000002002C00010000000000 \
    240000000020010500000000000515000000B262BFF6EAC6403B59D621B1360C0000

And it can be seen in the netsh command:

netsh http show urlacl 'http://+:45567/AnotherService/'

URL Reservations:
-----------------

Reserved URL            : http://+:45567/AnotherService/
    User: DOMAIN\me
        Listen: Yes
        Delegate: No
        SDDL: D:(A;;GX;;;S-1-5-21-4139737778-994100970-2971784793-3126)
Related Topic