Re: [Full-disclosure] Question for the Windows pros

---

• From: Paul Schmehl <pauls@xxxxxxxxxxxx>
• Date: Wed, 18 Jan 2006 11:30:49 -0600

---

--On Wednesday, January 18, 2006 16:54:38 +0000 Stuart Dunkeld <stuartd@xxxxxxxxx> wrote:

On 18/01/06, Paul Schmehl <pauls@xxxxxxxxxxxx> wrote:

What are the risks associated with granting Authenticated Users (AD 2003)
the Impersonate client after authentication privilege?  I've googled and
read endlessly repetitive explanations for what the privilege is (most of
them nearly incomprehensible), but I have yet to find anyone who
articulates the risks associated with such a change.

"Assigning this privilege to a user allows programs running on behalf
of that user to impersonate a client. Requiring this user right for
this kind of impersonation prevents an unauthorized user from
convincing a client to connect (for example, by remote procedure call
(RPC) or named pipes) to a service that they have created and then
impersonating that client, which can elevate the unauthorized user's
permissions to administrative or system levels." [1]

I can read. I need to know, from a practical application standpoint, what does this mean. What are the exposures?

Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

---

• Follow-Ups:
  • Re: [Full-disclosure] Question for the Windows pros
    • From: Frank Knobbe

• References:
  • [Full-disclosure] Question for the Windows pros
    • From: Paul Schmehl
  • Re: [Full-disclosure] Question for the Windows pros
    • From: Stuart Dunkeld

• Prev by Date: Re: [Full-disclosure] Vulnerability/Penetration Testing Tools
• Next by Date: RE: [Full-disclosure] Vulnerability/Penetration Testing Tools
• Previous by thread: Re: [Full-disclosure] Question for the Windows pros
• Next by thread: Re: [Full-disclosure] Question for the Windows pros
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Debugger not working in Vs.net 2003 ... I check The "Impersonate a client after authentication" user right, aspnet ... (microsoft.public.vsnet.debugging) Re: help on caller credentials !! :-( ... the back end SQL server maybe. ... In fact I simply try to flow the client user until the database level. ... Hosting my remote object in IIS would be much more simple but thi is not my ... under windows 2000 and prefer mode should be "Impersonate". ... (microsoft.public.dotnet.security) Re: client impersonation ... While you are able to retrieve the login names of all current ... Why not create a simple client autostart ... tool that makes a request to the webservice with the user's login ... impersonate the client user to have the appropriate rights on the ... (microsoft.public.win32.programmer.tapi) Re: Remote Registry Problem ... I have checked the local policy and the setting for "Impersonate a client ... after authentication" has both Administrators and SERVICE defined. ... (microsoft.public.windows.server.sbs) Re: Installshield wizard was Interrupted on XP Home Edition ... Grants/Revokes NT-Rights to a user/group ... change the 'Impersonate a client after authentication' setting and thus can ... (microsoft.public.windowsxp.help_and_support)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > Full-Disclosure  > 2006-01