Re: LogonUser
From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 09/22/05
- Previous message: Tim Wallace: "Re: TripleDESCryptoServiceProvider UPDATED"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: LogonUser"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 22 Sep 2005 12:22:02 -0700
Hello Joe,
a good one?? you mean this extremely talented guys who know how to run reflector??
:)
man, don't store passwords in you binaries...
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
> Ah, I see. LogonUser would probably work, but you will be restricted
> from using that on 2K. I'm not exactly sure how Windows does this,
> but there is probably an API that you can use. You might look at WMI
> to see if it offers a wrapper or one of the Net* APIs. At worst you
> could shell out to the Net Use command.
>
> Note that a good hacker could probably recover the credentials you
> will be using to make this connection pretty easily since it is
> running on their machine, so be careful about how secure this needs to
> be.
>
> Joe K.
>
> "***" <Richard.Giles@nospam.nospam> wrote in message
> news:161D1021-3403-45AC-9C42-E4E2CAFA7637@microsoft.com...
>
>> Switching to W2003 or to COM+ or to any server-based solution isn't
>> really
>> an
>> option because the program is CPU intensive and therefore runs on 'n'
>> number
>> of W2K clients depending upon daily demand.
>> And to be clear, I don't know that solving the LogonUser issue will
>> fix my underlying problem anyway. Perhaps I should explain...
>>
>> I need to copy files to a network location which is not accessible by
>> the
>> logged on user's account. The location can be reached from Windows by
>> typing
>> in its UNC path and entering the user name and password of an account
>> that
>> does have access. i.e. Start>Run>"\\10.216.0.1\NameOfShare">OK and
>> then in
>> the "Enter Network Password" dialog Connect As="AuthorisedUsersName"
>> and
>> Password="AuthorisedUsersPassword">OK. All I want to do is make this
>> connection programatically and avoid the need for the user to enter
>> the
>> details of the authorised account.
>> Hope you can help!
>>
>> "Joe Kaplan (MVP - ADSI)" wrote:
>>
>>> Are you on Windows 2000? Under Win2K, LogonUser requires the caller
>>> to
>>> have
>>> the TCB privilege (act as part of the operating system) which is
>>> only
>>> granted to the SYSTEM account by default.
>>> Switching to Windows Server 2003 is a great solution to this
>>> problem, but
>>> you might have to give the TCB privilege to the account in question
>>> if
>>> that
>>> is not an option. Unfortunately, this weakens the security of your
>>> app
>>> as
>>> this is a dangerous privilege to give out. Factoring this specific
>>> call
>>> into a COM object registered under COM+ with a special identity is
>>> one
>>> way
>>> to help mitigate that problem.
>>> Joe K.
>>>
>>> "***" <Richard.Giles@nospam.nospam> wrote in message
>>> news:2EA28A4D-4319-4F46-B071-0D4503F902BA@microsoft.com...
>>>
>>>> I'm trying to use the LogonUser function from "advapi32.dll" as
>>>> described
>>>> in
>>>> the KB article "How to validate Windows user rights in a Visual
>>>> Basic
>>>> .NET
>>>> application" but the function returns the error message "A required
>>>> privilege
>>>> is not held by the client.". Please can you explain what this means
>>>> and
>>>> what
>>>> I need to do to get around it. Many thanks.
- Previous message: Tim Wallace: "Re: TripleDESCryptoServiceProvider UPDATED"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: LogonUser"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
