Re: How to Stop a Service From Impersonating Other Users

From: S. Pidgorny (slavickp_at_yahoo.com)
Date: 11/24/05

Next message: S. Pidgorny : "Re: Microsoft Server 2003 LDAP Cert and CRL access by Router"
Previous message: Steven L Umbach: "Re: Securing Network Browsing from Workgroup PC"
In reply to: Will: "How to Stop a Service From Impersonating Other Users"
Next in thread: Will: "Re: How to Stop a Service From Impersonating Other Users"
Reply: Will: "Re: How to Stop a Service From Impersonating Other Users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 24 Nov 2005 19:58:38 +1100

you cannot - SYSTEM account can impersonate other users. Change the service
account to one without "Act as a part of the operating system" right.

-- 
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"Will" <DELETE_westes@earthbroadcast.com> wrote in message 
news:X7mdnXQL0_c_XhnenZ2dnUVZ_t-dnZ2d@giganews.com...
>I got a rude surprise after installing McAfee's Managed VirusScan software
> on our network.   The McAfee service - without every asking any permission
> or exposing any configuration setting to the admin - simply impersonates 
> any
> user who logs into the console of a machine on which it resides, in order 
> to
> be able to get Internet access and do downloads of updates.    While the
> goal is straightforward and McAfee is a name to trust, it is appalling to 
> me
> that they think it is okay to login to a machine at 3am in the morning as
> the Enterprise Administrator and not even get permission to do that!!
>
> How can I stop any service that runs as SYSTEM from being able to
> impersonate any user who logs into a console?   And what is really strange
> to me is how can McAfee do this unless they are monitoring the keyboard 
> and
> stealing passwords?   You can't impersonate a user without the full SID 
> and
> password even if you have the privilieges to do so can you?
>
> I need an education on how impersonation works and how its behavior can be
> modified through Group Policy.
>
> -- 
> Will
>
>

Next message: S. Pidgorny : "Re: Microsoft Server 2003 LDAP Cert and CRL access by Router"
Previous message: Steven L Umbach: "Re: Securing Network Browsing from Workgroup PC"
In reply to: Will: "How to Stop a Service From Impersonating Other Users"
Next in thread: Will: "Re: How to Stop a Service From Impersonating Other Users"
Reply: Will: "Re: How to Stop a Service From Impersonating Other Users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: atl services security
... Impersonating the client may ... > grant the service the right to impersonate. ... >> I thougt that the service was ran under system account, ... >>> explicitly dropping privileges to a more restricted account ...
(microsoft.public.vc.atl)
Re: Accessing another domain file system in C#
... the Impersonate worked and I can write files while impersonating. ... CreateDirectory doesnt seem to work. ... When i use CreateDirectory on my own file system, ... > SYSTEM account. ...
(microsoft.public.dotnet.languages.csharp)
Re: How to create user CRYPT container from MS installer (SYSTEM account)?
... My code is in a dll and runs as a deferred custom action. ... I agree that SYSTEM account has enough ... authority but I can't figure out how to impersonate a currently logged-in ... privilage to impersonate any local user! ...
(microsoft.public.win32.programmer.kernel)
Re: netshareadd not looking at local namespace?
... This specific service won't impersonate:) ... > The service could, if it wanted to, impersonate the calling process context ... I suppose I could create the drive in the global namespace ... The Server service runs under the system account, ...
(microsoft.public.win32.programmer.networks)
Re: Add Web References problems
... To use impersonate, System account is a ... better choice than ASPNET. ...
(microsoft.public.dotnet.framework.aspnet.webservices)