Re: INTERACTIVE group missing after SSPI auth



Jeffrey Tan[MSFT] wrote:
Hi Sami,

Thanks for your feedback.

I'm Jeffrey, I will continue help you on this issue.

I have reviewed your question. I agree with "Richard Ward" that I do not think your problem is caused by missing INTERACTIVE group SID in the process Token.

Normally, Interactive SID means: "A group that includes all users who have logged on interactively. Membership is controlled by the operating system.". So only the process in the interactive Logon Session can have Interactive SID.

Now, let's turn to our original issue. In normal situation, we should can access the WINDOWS\System32 directory in a process without Interactive SID. I have done a test to demonstrate this:
I created an Asp.net application, which in Win2003 runs under w3wp.exe process. With PView.exe(from PlatformSDK), we can view w3wp's token, then we can find that there is no Interactive group SID in this token(while other interactive process token has this group SID). However, we can access the cmd.exe in WINDOWS\System32 in Win2003 without any problem, I use the C# .Net Process class, code listed below:
private void Button1_Click(object sender, System.EventArgs e)
{
System.Diagnostics.Process.Start("cmd.exe");
}


After executing the above code snippet in Asp.net, I can use Task Manager to find the new created cmd.exe. So it really works.

Can you show me how to lauch the cmd.exe in your network logon session process? If you use CreateProcess API, can you show me the error result?

CreateProcess() returns 5 (which is ERROR_ACCESS_DENIED). I get the access token as I documented in my first post:


----
After SSPI-authentication (CompleteAuthToken() has returned
successfully) I get the user's access token by running
ImpersonateSecurityContext(), then getting the token with
OpenThreadToken(). I use DuplicateTokenEx() to make a primary token, so
I can use it with CreateProcessAsUser().
----

When I manually add SJLVPCWS2003\Users to have "Read & Execute" permissions for cmd.exe and whoami.exe, cmd.exe can be executed.

In the resulting cmd.exe session, running whoami gives me following info:

----
USER INFORMATION
----------------

User Name  SID
========== ============================================
sjl2kd\sjl S-1-5-21-1957994488-573735546-839522115-1106


GROUP INFORMATION -----------------

Group Name Type SID Attributes
================================ ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
SJL2KD\Remote Desktop Users Group S-1-5-21-1957994488-573735546-839522115-1119 Mandatory group, Enabled by default, Enabled group
SJL2KD\Foo Group S-1-5-21-1957994488-573735546-839522115-1110 Mandatory group, Enabled by default, Enabled group



PRIVILEGES INFORMATION ----------------------

Privilege Name          Description              State
======================= ======================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled

----

After adding the SJLVCPWS2003\Users to have access to the programs, this is what cacls gives me:

----
C:\WINDOWS\system32>cacls cmd.exe
C:\WINDOWS\system32\cmd.exe BUILTIN\Administrators:F
                            NT AUTHORITY\INTERACTIVE:R
                            NT AUTHORITY\SERVICE:R
                            NT AUTHORITY\SYSTEM:F
                            SJLVPCWS2003\TelnetClients:R
                            BUILTIN\Users:R


C:\WINDOWS\system32> C:\WINDOWS\system32>cacls whoami.exe C:\WINDOWS\system32\whoami.exe BUILTIN\Administrators:F NT AUTHORITY\BATCH:R NT AUTHORITY\INTERACTIVE:R NT AUTHORITY\SERVICE:R NT AUTHORITY\SYSTEM:F BUILTIN\Users:R ----

As you can see, a normal user cannot access cmd.exe without the INTERACTIVE in the token.

I hope we are on the same page now on this.

--
sjl@xxxxxxx
.



Relevant Pages

  • Re: Event viewer security issue
    ... This posting is provided "AS IS" with no warranties, ... |> Hi John, ... |> Mandatory group, Enabled by default, Enabled group ...
    (microsoft.public.windows.server.general)
  • Re: Event viewer security issue
    ... Mandatory group, Enabled by default, Enabled group ... | Mandatory group, Enabled by default, Enabled group ... | duplicate of what is on our first domain controller. ... |> registry editor and then restart the server. ...
    (microsoft.public.windows.server.general)
  • Re: Event viewer security issue
    ... John. ... Mandatory group, Enabled by default, Enabled group ... Mandatory group, Enabled by default, Enabled group, Group owner ... duplicate of what is on our first domain controller. ...
    (microsoft.public.windows.server.general)
  • Re: Event viewer security issue
    ... > Mandatory group, Enabled by default, Enabled group ... >| John. ... >| duplicate of what is on our first domain controller. ...
    (microsoft.public.windows.server.general)