RE: AcquireCredentialsHandle failures with Least Privilege

From: bart (bart_at_noemail.please)
Date: 09/25/03

Date: Thu, 25 Sep 2003 10:11:24 -0700

Thanks for your reply. The object of the exercise is to
allow a web server process running under the admin account
to restrict it's privileges, so that if it is compromised
by an attack, it can do no harm.

The process first restricts it's privileges and then sets
the privileged group account ACLs to DENY ONLY. it then
serves SSL request pages, so it must have access to the
installed SSL certs in the LOCAL_MACHINE\My certificate

How can I NOT use a privileged LUID, ACL or other
mechanism, and still have the use of the certificates?

I have read EVERYTHING microsoft has published on this
topic, including the latest MSDN, "Writing Secure Code"
AND "Program Server side applications for Windows 2000",
this topic is NOT covered.

>-----Original Message-----
>Hello Bart,
>Please check if the account application process runs
under has SE_TCB_NAME
>privilege. In general, AcquireCredentialsHandle does not
allow a process to
>obtain a handle to the credentials of other users logged
on to the same
>computer. However, a caller with SE_TCB_NAME privilege
has the option of
>specifying the logon identifier (LUID) of any existing
logon session token
>to get a handle to that session's credentials.
>To grant this privilege to an account. You need to Local
Security Policy |
>Local Policies | User Rights Assigments, and then add the
account to "Act
>part of the operating system".
>I hope this helps you.
>Best regards,
>Lion Shi [MSFT]
>Microsoft Support Engineer
>Get Secure! -
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>You assume all risk for your use. 2003 Microsoft
Corporation. All rights
>| Content-Class: urn:content-classes:message
>| From: "bart" <bart@noemail.please>
>| Sender: "bart" <bart@noemail.please>
>| Subject: AcquireCredentialsHandle failures with Least
>| Date: Wed, 24 Sep 2003 16:13:15 -0700
>| Lines: 25
>| Message-ID: <129a01c382f1$6f0a48a0$3501280a@phx.gbl>
>| MIME-Version: 1.0
>| Content-Type: text/plain;
>| charset="iso-8859-1"
>| Content-Transfer-Encoding: 7bit
>| X-Newsreader: Microsoft CDO for Windows 2000
>| Thread-Index: AcOC8W8KVwBd3x1DSGubI+dLx30j7A==
>| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
>| Newsgroups:
>| Path: cpmsftngxa06.phx.gbl
>| Xref: cpmsftngxa06.phx.gbl
>| NNTP-Posting-Host: TK2MSFTNGXA06
>| X-Tomcat-NG:
>| My code creates a restricted process token that sets
>| administrator ACL to deny only, Running with the
>| restricted token causes AcquireCredentialsHandle to
>| on SCHANNEL_CRED_VERSION using a valid certificate
>| context.
>| I have traced the failure to a call to the underlying
>| CryptAcquireContext call returning ERROR_ACCESS_DENIED.
>| I have tried adding an additional ACL entry for a group
>| acl (which the process token supports) using both
>| WinHttpCertCfg, and CryptSetProvParam.
>| The security descriptor returned by CryptGetProvParam
>| shows the new DACL entry for the group with the same
>| ACCESS_MASK value as the administrator ACE (0x90000000).
>| But even though the process token contains the group,
>| still get the ERROR_ACCESS_DENIED on the call to
>| CryptAcquireContext.
>| How do I make it so that principals that are NOT
>| of the administrators group can call
>| AcquireCredentialsHandle?