Re: URGENT: Pipe server security question

From: Garfield Lewis (galewis_at_SPAM-NO-MOREca.ibm.com)
Date: 10/28/03


Date: Tue, 28 Oct 2003 15:38:51 -0500

We are using Kerberos in a domain environment. The scenario is this:

MachineA -> Domain Controller (DomainA)
MachineB -> exports shared drive giving Everyone read (\\MachineB\share1),
later change to full control but no difference
MachineC -> has a service running either as a privileged domain account with
local admin authority or Local System (MYSERVICE)

>From MachineC -> start service MYSERVICE and it creates a pipe called
\\MachineC\pipe\MYPIPE

>From MachineB, user DomainA\User1 connects to \\MachineC\pipe\MYPIPE (I've
used the SECURITY_SQOS_PRESENT and SECURITY_IMPERSONATION flags when calling
CreateFile (even though the docs indicate I don't need to). I've also tried
adding SECURITY_DELEGATION but that fails with 1346 error as it does when I
try to use it on the server end). Then it simply sends the command "dir
\\MachineB\share1" across the pipe.

>From MachineC, the request is recieved, however, the command fail with
"Access is Denied" (rc=5).

I've got the machines setup as trusted for delegation on the DC and also
have set the userid as being able to be delegated. These are Win2K machines
running either Server or Adv. Server at SP3 level. What is wrong? I suspect
that because I cannot get a delegation token from DuplicateTokenEx that is
why it fails but the security events on neither machine shows where the
access denied is coming from. I'm gonna try this on Win2K3 to see if I get
any better results but I still need this to work on Win2K.

-- 
Garfield A. Lewis
DB2 UDB Development,
IBM Canada Laboratory
"John Duddy" <jduddy@idontwantyourunsolicitedmsgDOTstbernard.com> wrote in
message news:vpt7nlf1p5qa14@corp.supernews.com...
> You'll need to be using Kerberos authentication for starters. NTLM
> authentication is explicitly not-delegatable.
>
> JD
>
> "Garfield Lewis" <galewis@SPAM-NO-MOREca.ibm.com> wrote in message
> news:e8Ur#MPnDHA.1072@TK2MSFTNGP09.phx.gbl...
> > Hi Drew,
> >
> > We need to impersonate because the service account typically has admin
> > privileges and/or is LocalSystem. If we don't impersonate then we are
> > effectively giving everyone who can interact with this service
> administrator
> > privileges. The share does give "Everyone" read access. I am not using
> logon
> > user I am running a Named Pipe server so I am doing
> > ImpersonateNamedPipeClient then duping the thread token. I think what I
> need
> > to do is to get a delegation token, however, whenever I pass
> > SecurityDelegation to DuplicateTokenEx I always get a 1346
> > (ERROR_BAD_IMPERSONATION_LEVEL) error from that API. I would appreciate
it
> > if someone could provide me with some sample code that will do what I am
> > asking. Namely using Named Pipes to run a delegatable service in a
domain
> > environment on Win2K SP3.
> >
> > Thx,
> >
> > --
> > Garfield A. Lewis
> > DB2 UDB Development,
> > IBM Canada Laboratory
> >
> >
> > "Drew Cooper [MSFT]" <dcoop@online.microsoft.com> wrote in message
> > news:eZyihfOnDHA.2064@TK2MSFTNGP11.phx.gbl...
> > > Check out the documentation for LogonUser.  I suspect that this caveat
> in
> > > the SDK covers your scenario:
> > >
> > > . . . if you convert the token to a primary token and use it in
> > > CreateProcessAsUser to start a process, the new process will not be
able
> > to
> > > access other network resources, such as remote servers or printers,
> > through
> > > the redirector. An exception is that if the network resource is not
> > > access-controlled, then the new process will be able to access it.
> > >
> > >
> > > Why not grant your service account access to the share?  No need to
> > > impersonate then.
> > > --
> > > Drew Cooper [MSFT]
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > >
> > >
> > > "Garfield Lewis" <galewis@SPAM-NO-MOREca.ibm.com> wrote in message
> > > news:OAZ9LcjmDHA.392@TK2MSFTNGP11.phx.gbl...
> > > > Hi,
> > > >
> > > > I'm writing a pipe server service that will allow me to run remote
> > > commands
> > > > on a machine. The server works like a charm if I don't add client
> > > > impersonation. Even with client impersonation it works most of the
> time.
> > > The
> > > > problem I'm having is this, i've got the service running on 2
machines
> > > > (machineA and machineB). I've created a network share on machineA
> called
> > > > \\machineA\myshare. Now if I request that the server do the
following
> > from
> > > > machineA, dir \\machineA\myshare, then everything works fine.
However,
> > if
> > > I
> > > > send this same command to machineB from machineB then I get an
"Access
> > is
> > > > denied" error (rc=5). If I go to machineB and do this directly from
a
> > > > command window then everything is fine. When I issue the commands I
am
> > > > logged into the same domain account on both boxes so the
> authentication
> > > > should be identical. The share was created giving "Everyone" full
> > control,
> > > I
> > > > later added "Authenticated Users" and "Anonymous" with the same full
> > > control
> > > > but that has not made any difference. Here is some psudo-code of how
I
> > > doing
> > > > the impersonation, I would really appreciate some help on this.
> > > >
> > > > - give client access to process window station
> > > > - give client access to thread desktop
> > > > - impersonate named pipe client
> > > > - open thread token
> > > > - use DuplicateTokenEx to get a primary token (using
> > > SecurityImpersonation,
> > > > also tried SecurityDelegation but CreateProcessAsUser complained
about
> > > that)
> > > > - use CreateProcessAsUser to run the command
> > > >
> > > > What do I need to do to make the remote client running as a service
> see
> > > the
> > > > network share? I've tried various things to do with loading the
> profile
> > > but
> > > > nothing seems to work. If I issue the command from machineB then
that
> > > works
> > > > but I suppose that's because that's because it's machineA's share.
> > > >
> > > > --
> > > > Garfield A. Lewis
> > > > DB2 UDB Development,
> > > > IBM Canada Laboratory
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>


Relevant Pages

  • Re: Deleting Network Files
    ... something to do with a setting in the policies on the machines. ... communications to disabled for both server and client. ... policy to see if it has similar wording in it's security policy. ... Since the server is giving them full control ...
    (microsoft.public.windowsxp.security_admin)
  • Re: How can I control a networked PC?
    ... Try RealVNC from www.realvnc.com you can then remote control your "print ... server" from either of the machines. ... > Is there an affordable way to control the third tower with my computer? ... I want to use the other tower as a printer server as well as ...
    (microsoft.public.windowsxp.general)
  • Re: DRO suggestions (computer input like via USB)
    ... scales and outputs one stream of signals to the parallel port? ... Quadrature outputs occupy two bits. ... encoders and will also permit some forms of machine control. ... controlling machines that require precision motion control. ...
    (rec.crafts.metalworking)
  • Re: Advice / Info on Acu-Rite ENC 250 Feedback Scales
    ... tube spinning machines we are upgrading to CNC control. ... retrofitting spinning machines are using Sinumerik controls. ...
    (alt.machines.cnc)
  • Re: cannot log on to DC
    ... Please see your network administrator for more info. ... use the delegated control whenever needed from the DC. ... Is it just delegation of rights so that they can manage OUs? ... download RSAT and install it on the users' machines and have them run them from their workstations. ...
    (microsoft.public.windows.server.active_directory)