Re: Running a program with elevated priveleges
From: Valery Pryamikov (valery_at_harper.no)
Date: 04/12/05
- Next message: Nicole Calinoiu: "Re: Cannot open log for source {0}. You may not have write access. (Access right wanish after a while)"
- Previous message: Joseph MCAD: "Re: Access to the path is denied: Assembly Permission Problem"
- In reply to: Nicole Calinoiu: "Re: Running a program with elevated priveleges"
- Next in thread: Nicole Calinoiu: "Re: Running a program with elevated priveleges"
- Reply: Nicole Calinoiu: "Re: Running a program with elevated priveleges"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 12 Apr 2005 18:49:41 +0200
"Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
news:%23hyXMW3PFHA.3544@TK2MSFTNGP12.phx.gbl...
> "Valery Pryamikov" <valery@harper.no> wrote in message
> news:uXTojt2PFHA.1932@tk2msftngp13.phx.gbl...
> <snip>
>> Well, "simply" might be a bit of non-understanding <g>. Being able to
>> change the password is not the same as being able to read the clear text
>> password. Think of setting COM+ application to use identity of existing
>> user... Do I need to say any more?...
>
> An admin could do something silly like this with an empty COM+ application
> too. An ignorant admin doesn't need developer help to wreak havoc.
And what's your point? Are we talking here about competencies or about the
facts?
I'm just warning that COM+ and DCOM stores password in unencrypted form in
LSA secret. If I remember it correctly COM+/DCOM LSA secrets are named as
APPID:{APPID_GUID_HERE}. You can use any version of lsadump for that, or you
can use my very simple PrintSecret utility that I wrote back in 1997 (you
can find PrintSecret together with its source code on my website - just
following "Relics from DCOM era" link). It is not like "sky is falling"....
more over - it is not any problem at all if alternative credential of COM+
application are used correctly. And that "correct using" first of all means
a separate account that is not used for normal user login (i.e. has "deny
logon interactively" right).
BTW: COM+ applications are used for accessing domain resources much more
often than you probably think ( looking at your arguments in your prev post
makes me think that you think that .... :-) ). Database connections are one
of the most usual examples. And another btw: during Windows DNA time it was
one of the major advises - to use Integrated Windows Authentication on
Database Server on the back-end; in the middle tier - to run COM+ component
with account that has necessary access rights to the databases (and
databases are usually running on separate computers).
-Valery.
- Next message: Nicole Calinoiu: "Re: Cannot open log for source {0}. You may not have write access. (Access right wanish after a while)"
- Previous message: Joseph MCAD: "Re: Access to the path is denied: Assembly Permission Problem"
- In reply to: Nicole Calinoiu: "Re: Running a program with elevated priveleges"
- Next in thread: Nicole Calinoiu: "Re: Running a program with elevated priveleges"
- Reply: Nicole Calinoiu: "Re: Running a program with elevated priveleges"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
