RE: Different credentials for remote registry/SCM access
- From: jetan@xxxxxxxxxxxxxxxxxxxx ("Jeffrey Tan[MSFT]")
- Date: Thu, 26 Oct 2006 09:24:34 GMT
Hi Steve,
Based on my understanding, you wanted to write a customized application to
allow the normal user to remote stop/retart Windows Services and registry
configuration. However, since these operations requires Admin right, you
want to find a way to run your application under Admin security context for
a moment for these high privilege tasks. If I have misunderstood you,
please feel free to tell me, thanks.
Yes, your requirement is a classic impersonation usage. Since you have the
username/password of the Admin account, your application can call LogonUser
API with username/password of Admin to launch a Admin account's logon
session. This API will return a security token which is a handle points to
the logon session.
Then you should first call DuplicateToken API to translate this primary
token into a impersonation token by passing SecurityImpersonation as the
second parameter.(Translating primary token into impersonation token is the
requirement of SetThreadToken API) And then calling SetThreadToken API to
set the current thread token as Admin's security impersonation token, so
that your current thread is executing under the Admin's security context.
Then you may perform all the high privilege tasks now. This process is
called as Impersonation in Windows security programming.
After performing the tasks, you may call RevertToSelf API to return to the
original user security context. This is critical, since from security
perspective, you really wanted to limit the high privilege executing time
to minimum.
The article below demonstrates the logic in C#:
"Windows Impersonation using C#"
http://www.codeproject.com/csharp/cpimpersonation1.asp
My reply below provided a working code snippet in C/C++:
http://groups.google.com/group/microsoft.public.win32.programmer.kernel/msg/
679a95c3a4d1af5a?hl=zh-CN&
Finally. caching the password in application has a high security concern,
to deal with password more securely, you may follow the suggestions in the
article below:
"Handling Passwords"
http://windowssdk.msdn.microsoft.com/en-us/library/ms717799.aspx
Hope this helps.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- Prev by Date: Implementing a credential manager: implement a network provider too?
- Next by Date: Re: NTFS and File Streams
- Previous by thread: Implementing a credential manager: implement a network provider too?
- Next by thread: RE: Different credentials for remote registry/SCM access
- Index(es):
Relevant Pages
|
