How does LogonUser API work to prevent impersonating users?

From: Brian E (brian_anon_at_hotmail.com)
Date: 08/11/04


Date: 11 Aug 2004 05:07:44 -0700

I am trying to understand how the LogonUser API works.

I would like to utilize the credentials of the currently logged on
user as the basis for authenticating access to a client-server
application. Currently, the application only forwards the user name
of the currently logged on user.

Since we use a standard naming convention for usernames I can easily
impersonate another user. I could install a standalone system and
create a local user account that matches the username of the
application administrator. When I start the client it forwards the
Windows username of the currently logged on user to the application.
Access is then granted.

Obviously I do not know the Windows password for the application
administrator but have been able to get access.

How does LogonUser API work to prevent this situation (i.e. creating a
similar account on another machine)?

Regards,
Brian_anon@hotmail.com