Re: How to Stop a Service From Impersonating Other Users
From: Will (DELETE_westes_at_earthbroadcast.com)
Date: 11/24/05
- Next message: Miha Pihler [MVP]: "Re: Certificate-based DHCP authentication"
- Previous message: karl levinson, mvp: "Re: Securing SQL"
- In reply to: Roger Abell [MVP]: "Re: How to Stop a Service From Impersonating Other Users"
- Next in thread: Roger Abell [MVP]: "Re: How to Stop a Service From Impersonating Other Users"
- Reply: Roger Abell [MVP]: "Re: How to Stop a Service From Impersonating Other Users"
- Reply: Roger Abell [MVP]: "Re: How to Stop a Service From Impersonating Other Users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 24 Nov 2005 12:01:30 -0800
So mechanically can you spell out the steps by which a service that does run
as SYSTEM could use a user token of a user who has logged into that console
to do a separate login on its own at 3am, when no one is logged into the
console of the computer?
1) The service can monitor for interactive logins. That probably gives it
the SID.
2) The service can request the user token based on the SID as input, and now
it has that information.
3) Now the service does what with that user token to run in that user's
security context when no one is logged into the machine?
The Windows NT / 2000 programming APIs contain functions that have the word
'impersonation' in them. If I am misunderstanding what that word means, I
would ask you to define what Microsoft meant by the word. The behavior I
am seeing in sniffer and eventviewer logs unquestionably documents that a
service running as SYSTEM on a specific computer is getting access to the
Internet at times when no one is logged into the console. It can only do
that by impersonating the user and assuming their security context, because
our firewall only allows outgoing connections to the Internet from specific
domain-authenticated userids (the firewall is verifying the credentials with
the domain controller independently).
-- Will "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message news:uJYpZOP8FHA.2132@TK2MSFTNGP10.phx.gbl... > I believe you are misusing the term "impersonation" > To impersonate a different principal what is needed is the > user token of that principal usually obtained from a process > running in context of that principal. The account that does > the impersonation needs to be flagged as trusted to impersonate. > System, acting as part of the trusted computing base of the OS > is not doing impersonation. It is simply using the name of or > sid of the account in order to obtain a user token for that account.
- Next message: Miha Pihler [MVP]: "Re: Certificate-based DHCP authentication"
- Previous message: karl levinson, mvp: "Re: Securing SQL"
- In reply to: Roger Abell [MVP]: "Re: How to Stop a Service From Impersonating Other Users"
- Next in thread: Roger Abell [MVP]: "Re: How to Stop a Service From Impersonating Other Users"
- Reply: Roger Abell [MVP]: "Re: How to Stop a Service From Impersonating Other Users"
- Reply: Roger Abell [MVP]: "Re: How to Stop a Service From Impersonating Other Users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
