cloudfoundry · geofffranks · May 1, 2026 · May 1, 2026
@@ -19,8 +19,8 @@ reg.exe import $ccgPackagePath\EventLog.reg
 Write-Output "Register the plugin's GUID with CCG" | timestamp
 & "$ccgPackagePath\RegisterPluginWithCCG.ps1"
 
-Write-Output "Change permissions to grant everyone access to dll" | timestamp
-cmd.exe /C "icacls $ccgPackagePath\CfCcgPlugin.dll /grant Everyone:(F)"
+Write-Output "Change permissions to grant LocalService and NetworkService access to dll" | timestamp
+cmd.exe /C "icacls $ccgPackagePath\CfCcgPlugin.dll /grant `"NT AUTHORITY\LocalService`":(RX) /grant `"NT AUTHORITY\NETWORK SERVICE`":(RX)"
 
 Write-Output "Register plugin with the .net framework" | timestamp
 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe /codebase /tlb $ccgPackagePath\CfCcgPlugin.dll

@@ -20,6 +20,8 @@ void GetPasswordCredentials(
     [Guid("8019A64C-3F4E-4DE3-AD2B-9A544290E2C3")]
     [ProgId("CfCcgCredProvider")]
     [ComVisible(true)]
+    [SecurityRole("SYSTEM")]
+    [SecurityRole("CCG")]
     public class CfCcgCredProvider : ServicedComponent, ICcgDomainAuthCredentials
     {
         public CfCcgCredProvider()

@@ -7,3 +7,28 @@ $apps.Populate()
 $appExistCheckApp = $apps | Where-Object {$_.Name -eq $newComPackageName}
 $appExistCheckApp.Value("Identity") = "NT AUTHORITY\LocalService"
 $apps.SaveChanges()
+
+$roles = $apps.GetCollection("Roles", $appExistCheckApp.Key)
+$roles.Populate()
+
+$systemRole = $roles | Where-Object {$_.Name -eq "SYSTEM"}
+if ($systemRole) {
+    $users = $roles.GetCollection("UsersInRole", $systemRole.Key)
+    $users.Populate()
+    $newUser = $users.Add()
+    $newUser.Value("User") = "NT AUTHORITY\SYSTEM"
+    $users.SaveChanges()
+}
+
+$ccgRole = $roles | Where-Object {$_.Name -eq "CCG"}
+if ($ccgRole) {
+    $users = $roles.GetCollection("UsersInRole", $ccgRole.Key)
+    $users.Populate()
+    try {
+        $newUser = $users.Add()
+        $newUser.Value("User") = "NT SERVICE\ccg"
+        $users.SaveChanges()
+    } catch {
+        Write-Warning "Failed to add NT SERVICE\ccg to CCG role: $_"
+    }
+}
@@ -16,9 +16,11 @@
 
 [assembly: ApplicationActivation(ActivationOption.Server)]
 [assembly: ApplicationAccessControl(
-    AccessChecksLevel = AccessChecksLevelOption.Application,
-    Authentication = AuthenticationOption.None,
-    Value = false)]
+    true,
+    AccessChecksLevel = AccessChecksLevelOption.ApplicationComponent,
+    Authentication = AuthenticationOption.Packet)]
+[assembly: SecurityRole("SYSTEM")]
+[assembly: SecurityRole("CCG")]
 
 // Setting ComVisible to false makes the types in this assembly not visible
 // to COM components.  If you need to access a type in this assembly from

@@ -20,7 +20,7 @@ Note - to verify the plugin you don't need to set up any Active Directory stuff
     ```
 - Set broad permissions on the plugin dll
     ```powershell
-    cmd.exe /C "icacls c:\\CfCcgPlugin.dll /grant Everyone:(F)"
+    cmd.exe /C "icacls c:\\CfCcgPlugin.dll /grant `"NT AUTHORITY\LocalService`":(RX) /grant `"NT AUTHORITY\NETWORK SERVICE`":(RX)"
     ```
 - Register the plugin as a com object with the .net framework