Re: [Full-disclosure] Question for the Windows pros

--On Wednesday, January 18, 2006 13:25:55 -0600 Yvan Boily <yboily@xxxxxxxxx> wrote:

The explanations on MS's site are vague enough that they're meaningless.
What services running on Windows allow clients to access them?  And if
they do, do they restrict access to the Local Machine?  Or do they allow
Remote Access?  (For example, RPC is clearly remote.  Is the Windows
Time service?)


Actually, the explanations are not vague or meaningless.  It just
helps to have an understanding of what this privilege governs.  Lets
start with the fact that in essence it only applies to Server
operating systems, and only to Windows 2000 SP4, or Windows 2003.

This is incorrect. The privilege exists *and* functions on the Workstation operating systems Win2000 SP4 *and* WinXP. I have verified this through testing.

http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/secauthz/security/authorization_constants.asp

I've already been there and read the page - several times. I understand *in general* what an impersonation privilege is. I need to know *specifically* what "server's clients" can be impersonated when this privilege is applied to an account. So far, I've found nothing on the web that even attempts to address that issue.

Mike Howard also demonstrates the technique here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/h
tml/secure03132003.asp

That's somewhat helpful, in a general way, but still doesn't answer my question.

RPC is not clearly remote.  It is merely a mechanism which is capable
of delivering remote calls.

Which is what I meant by clearly remote. IOW, it's capable of accessing resources remotely.

According to MSDN this is a list of API that require
SeImpersonatePrivelege:

RpcImpersonateClient
ImpersonateAnonymousToken
ImpersonateClient
ImpersonateLoggedOnUser
ImpersonateSecurityContext
RpcGetAuthorizationContextForClient

Reading the API, and the MSDN Documentation on IMpersonation and
Delegation should illuminate this issue.

Unfortunately, it has not. Again, I understand *in general* what impersonation is, how it works and what it can mean in terms of security.

I am looking *specifically* for what a user who has the privilege Impersonate a client after authentication has the right to do. Does it mean that *anything* that user runs runs under his/her privileges? Does it mean only *local* processes are affected? Does it mean a hacker can access the machine remotely and run under the user's privileges?

IOW, if I have a domain account name "Joe", and I grant "Joe" this privilege, what is placed at risk? The local machine he's logged in to? The entire domain? Only certain services? Saying it's a high risk (like ISS does) and then not defining *precisely* what the risks are is not helpful.

And all I was really asking for is pointers to any white papers or conference presentations that even attempt to illuminate this issue.

It's looking like there are none.

The short story is though, that any case where any process or thread
will execute, either locally or remotely, under another users security
context, impersonation is required.

Can you name one? For example, is the RPC Locater Service affected by this privilege?

Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-disclosure] Question for the Windows pros
    ... > What services running on Windows allow clients to access them? ... Or do they allow Remote ... context, impersonation is required. ...
    (Full-Disclosure)
  • RE: Upload File error - Logon failure: unknown user name or bad password - HELP
    ... One is that the account you are ... using does not have write access to the remote share. ... you wrote that you tried impersonation. ... You also wrote that you gave the account privilege to 'Act as part of the ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Strange problem with user rights for impersonation.
    ... Calling LogonUser on Windows 2000 requires "act as part of the operating ... > exception which states "A required privilege is not held by the client." ... the only way I can get the impersonation to work is to ...
    (microsoft.public.dotnet.security)
  • SecurityFocus Microsoft Newsletter #228
    ... RaidenHTTPD Remote File Disclosure Vulnerability ... Microsoft Outlook Web Access Login Form Remote URI Redirecti... ... Microsoft Windows Hyperlink Object Library Buffer Overflow V... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #212
    ... MICROSOFT VULNERABILITY SUMMARY ... ARJ Software UNARJ Remote Directory Traversal Vulnerability ... Microsoft Windows XP WAV File Handler Denial Of Service Vuln... ...
    (Focus-Microsoft)