Re: [Full-disclosure] Question for the Windows pros

> The explanations on MS's site are vague enough that they're meaningless.
> What services running on Windows allow clients to access them? And if they
> do, do they restrict access to the Local Machine? Or do they allow Remote
> Access? (For example, RPC is clearly remote. Is the Windows Time service?)

Actually, the explanations are not vague or meaningless. It just
helps to have an understanding of what this privilege governs. Lets
start with the fact that in essence it only applies to Server
operating systems, and only to Windows 2000 SP4, or Windows 2003.

http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/secauthz/security/authorization_constants.asp

Mike Howard also demonstrates the technique here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure03132003.asp

RPC is not clearly remote. It is merely a mechanism which is capable
of delivering remote calls.

According to MSDN this is a list of API that require SeImpersonatePrivelege:

RpcImpersonateClient
ImpersonateAnonymousToken
ImpersonateClient
ImpersonateLoggedOnUser
ImpersonateSecurityContext
RpcGetAuthorizationContextForClient

Reading the API, and the MSDN Documentation on IMpersonation and
Delegation should illuminate this issue.

The short story is though, that any case where any process or thread
will execute, either locally or remotely, under another users security
context, impersonation is required.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-disclosure] Question for the Windows pros
    ... What services running on Windows allow clients to access them? ... Or do they allow Remote Access? ... helps to have an understanding of what this privilege governs. ... *in general* what an impersonation privilege is. ...
    (Full-Disclosure)
  • Re: Remote control of windows service with windows 2003 server
    ... Impersonation is more difficult in forms authentication. ... you are passing the username and password for a windows account. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Starting up Windows Program from a webform with current userss authentication
    ... On the other hand i have a windows applications that uses windows ... (with authenticated user impersonation), and navigate to the right record. ... application with the "ASPNET" account. ... > appropriate rights on the directory housing the windows application. ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Impersonation on Windows Server 2003
    ... Impersonating a windowsidentity did not help the process using the new windows credential. ... credentials of aspnet_wp.exe, typically ASPNET. ... Public Shared Function LogonUser(ByVal lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As ... !For example, when under this impersonation context, I cannot access the ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Cryptographic service provider (CSP) could not be found for this algorithm.
    ... The ASP.Net application uses impersonation (windows domain account). ... Cryptographic service provider could not be found for this algorithm. ... An unhandled exception occurred during the execution of the ...
    (microsoft.public.win2000.developer)