Re: How to Stop a Service From Impersonating Other Users

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 11/24/05 

Date: Thu, 24 Nov 2005 05:35:45 -0700

I believe you are misusing the term "impersonation"
To impersonate a different principal what is needed is the
user token of that principal usually obtained from a process
running in context of that principal. The account that does
the impersonation needs to be flagged as trusted to impersonate.
System, acting as part of the trusted computing base of the OS
is not doing impersonation. It is simply using the name of or
sid of the account in order to obtain a user token for that account.

"Will" <DELETE_westes@earthbroadcast.com> wrote in message
news:0tudnUy0fcXBAxjenZ2dnUVZ_vydnZ2d@giganews.com...
> Can you provide more details about what a service requires to do
> impersonation? If it has your SID alone, is that enough? The service
> doesn't require your password?
>
> --
> Will
>
>
> "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
> news:uCahHVN8FHA.3660@TK2MSFTNGP09.phx.gbl...
>> you cannot - SYSTEM account can impersonate other users. Change the
> service
>> account to one without "Act as a part of the operating system" right.
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>
>

Relevant Pages

  • Re: VS.NET 2005 and the "allowDefinition=MachineToApplication" error
    ... Your description of impersonation is great. ... If you want to use the default configured account, eliminate that entry, or configure it as: ... The easiest way to assign correct permissions to all required directories is to run: ... I re-started IIS and tried to access my ASPX page again -- same ...
    (microsoft.public.dotnet.framework.aspnet)
  • [Full-disclosure] Maybe nothing so shady; depends on the motive.
    ... There may be no impersonation going on. ... attempted use of a disabled account would produce messages about "account foo login fail" ... SecureWorks was still reading email addressed to David Maynor. ...
    (Full-Disclosure)
  • Re: Impersonation
    ... impersonation, unless you actually need to be userX for some file operation, ... I also wonder why folks always talk about using a seperate account DB. ... I know the diference between IIS and WSE authentication mecanism. ... >>> where I need to check password in UsernameTokenManager for that I need ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Problem with Protocol Transition
    ... I set up a domain account called DPool and gave it act as part of the ... then the token is impersonation level. ... Joe Kaplan-MS MVP Directory Services Programming ... I'm just setting httpcontext.current.user to be a new WindowsIdentity ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: ASP.NET Anonymous Impersonation
    ... - A process always has a token associated with a Windows account ... All resources are accessed with this thread. ... > With Integrated Windows Authentication and impersonation: ...
    (microsoft.public.dotnet.framework.aspnet.security)