RE: AcquireCredentialsHandle failures with Least Privilege

From: bart (bart_at_noemail.please)
Date: 09/25/03


Date: Thu, 25 Sep 2003 10:11:24 -0700


Thanks for your reply. The object of the exercise is to
allow a web server process running under the admin account
to restrict it's privileges, so that if it is compromised
by an attack, it can do no harm.

The process first restricts it's privileges and then sets
the privileged group account ACLs to DENY ONLY. it then
serves SSL request pages, so it must have access to the
installed SSL certs in the LOCAL_MACHINE\My certificate
store.

How can I NOT use a privileged LUID, ACL or other
mechanism, and still have the use of the certificates?

I have read EVERYTHING microsoft has published on this
topic, including the latest MSDN, "Writing Secure Code"
AND "Program Server side applications for Windows 2000",
this topic is NOT covered.

>-----Original Message-----
>Hello Bart,
>
>Please check if the account application process runs
under has SE_TCB_NAME
>privilege. In general, AcquireCredentialsHandle does not
allow a process to
>obtain a handle to the credentials of other users logged
on to the same
>computer. However, a caller with SE_TCB_NAME privilege
has the option of
>specifying the logon identifier (LUID) of any existing
logon session token
>to get a handle to that session's credentials.
>
>To grant this privilege to an account. You need to Local
Security Policy |
>Local Policies | User Rights Assigments, and then add the
account to "Act
>part of the operating system".
>
>I hope this helps you.
>
>Best regards,
>
>Lion Shi [MSFT]
>MCSE, MCSD
>Microsoft Support Engineer
>Get Secure! - www.microsoft.com/security
>
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>You assume all risk for your use. 2003 Microsoft
Corporation. All rights
>reserved.
>--------------------
>| Content-Class: urn:content-classes:message
>| From: "bart" <bart@noemail.please>
>| Sender: "bart" <bart@noemail.please>
>| Subject: AcquireCredentialsHandle failures with Least
Privilege
>| Date: Wed, 24 Sep 2003 16:13:15 -0700
>| Lines: 25
>| Message-ID: <129a01c382f1$6f0a48a0$3501280a@phx.gbl>
>| MIME-Version: 1.0
>| Content-Type: text/plain;
>| charset="iso-8859-1"
>| Content-Transfer-Encoding: 7bit
>| X-Newsreader: Microsoft CDO for Windows 2000
>| Thread-Index: AcOC8W8KVwBd3x1DSGubI+dLx30j7A==
>| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
>| Newsgroups: microsoft.public.platformsdk.security
>| Path: cpmsftngxa06.phx.gbl
>| Xref: cpmsftngxa06.phx.gbl
microsoft.public.platformsdk.security:2563
>| NNTP-Posting-Host: TK2MSFTNGXA06 10.40.1.53
>| X-Tomcat-NG: microsoft.public.platformsdk.security
>|
>| My code creates a restricted process token that sets
the
>| administrator ACL to deny only, Running with the
>| restricted token causes AcquireCredentialsHandle to
fail
>| on SCHANNEL_CRED_VERSION using a valid certificate
>| context.
>|
>| I have traced the failure to a call to the underlying
>| CryptAcquireContext call returning ERROR_ACCESS_DENIED.
>|
>| I have tried adding an additional ACL entry for a group
>| acl (which the process token supports) using both
>| WinHttpCertCfg, and CryptSetProvParam.
>|
>| The security descriptor returned by CryptGetProvParam
>| shows the new DACL entry for the group with the same
>| ACCESS_MASK value as the administrator ACE (0x90000000).
>|
>| But even though the process token contains the group,
we
>| still get the ERROR_ACCESS_DENIED on the call to
>| CryptAcquireContext.
>|
>| How do I make it so that principals that are NOT
members
>| of the administrators group can call
>| AcquireCredentialsHandle?
>|
>|
>
>.
>



Relevant Pages

  • Re: Stop running a script ?
    ... What's so hard about editing the shortcut you created from the file? ... Something else to consider is under what account you login when you go ... user account which reduces privileges available to all programs ... This means your web browser is less ...
    (alt.os.windows-xp)
  • Re: How good is Comodo Internet Security?
    ... the process will have the same privileges as that token. ... the token has the limitation of a standard user account, ... limited and you get more protection. ... They don't want to use a limited Windows account. ...
    (comp.security.firewalls)
  • Re: How good is Comodo Internet Security?
    ... the process will have the same privileges as that token. ... the token has the limitation of a standard user account, ... use them to start the web browser, that instance of the web browser is ... limited and you get more protection. ...
    (comp.security.firewalls)
  • Re: How good is Comodo Internet Security?
    ... Since the token has the limitation of a standard user ... account, ... the child process under limited privileges, ... do out admin task within our LUA enviroment? ...
    (comp.security.firewalls)
  • Re: Restricting VPN access
    ... In ISA Server management console create a group "Restricted Users" and add ... Source: "VPN Clients" ... to restrict access for a specific domain account to one serveron the ... Going to a shared drive which we want to restrict access to. ...
    (microsoft.public.isa.vpn)