Re: How to Stop a Service From Impersonating Other Users

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 11/25/05 

Date: Fri, 25 Nov 2005 09:07:19 -0700

Will,

Some long reading in MSDN library would be your best friend here.
The difference to keep in sight is whether SE_TCB_NAME right is
or is not required for an API. This is the Act as part of the OS right
which Slav pointed out earlier.

If you were to look at the "impersonation" functions in the API they
rely on one already having obtained a user token of the account that
a spawned process is going to run under (i.e. impersonate).
In order for your scenario to be doing impersonation it means that
the service has been holding such a token for the account, which
means that the account has been kept logged in (even though to the
user of the machine they believe they logged off) as not all tokens
have been disposed.

It is my understanding that with SE_TCB_NAME rights one can
do more in the way of originating or modifying an existing user token
than what you will find covered in the public APIs. A process without
the right can only causes a process to run in the context of a different
account by impersonating that account, which means it has somehow
obtained a token for that account such as by being handed it by the
account in a call to the service or such as by having the account name
and password in order to do a UserLogonEx to get a token.

"Will" <DELETE_westes@earthbroadcast.com> wrote in message
news:luudnQlfFY6GgRvenZ2dnUVZ_sydnZ2d@giganews.com...
> So mechanically can you spell out the steps by which a service that does
> run
> as SYSTEM could use a user token of a user who has logged into that
> console
> to do a separate login on its own at 3am, when no one is logged into the
> console of the computer?
>
> 1) The service can monitor for interactive logins. That probably gives
> it
> the SID.
>
> 2) The service can request the user token based on the SID as input, and
> now
> it has that information.
>
> 3) Now the service does what with that user token to run in that user's
> security context when no one is logged into the machine?
>
> The Windows NT / 2000 programming APIs contain functions that have the
> word
> 'impersonation' in them. If I am misunderstanding what that word means,
> I
> would ask you to define what Microsoft meant by the word. The behavior I
> am seeing in sniffer and eventviewer logs unquestionably documents that a
> service running as SYSTEM on a specific computer is getting access to the
> Internet at times when no one is logged into the console. It can only do
> that by impersonating the user and assuming their security context,
> because
> our firewall only allows outgoing connections to the Internet from
> specific
> domain-authenticated userids (the firewall is verifying the credentials
> with
> the domain controller independently).
>
> --
> Will
>
>
> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> news:uJYpZOP8FHA.2132@TK2MSFTNGP10.phx.gbl...
>> I believe you are misusing the term "impersonation"
>> To impersonate a different principal what is needed is the
>> user token of that principal usually obtained from a process
>> running in context of that principal. The account that does
>> the impersonation needs to be flagged as trusted to impersonate.
>> System, acting as part of the trusted computing base of the OS
>> is not doing impersonation. It is simply using the name of or
>> sid of the account in order to obtain a user token for that account.
>
>

Relevant Pages

  • Re: VS.NET 2005 and the "allowDefinition=MachineToApplication" error
    ... Your description of impersonation is great. ... If you want to use the default configured account, eliminate that entry, or configure it as: ... The easiest way to assign correct permissions to all required directories is to run: ... I re-started IIS and tried to access my ASPX page again -- same ...
    (microsoft.public.dotnet.framework.aspnet)
  • [Full-disclosure] Maybe nothing so shady; depends on the motive.
    ... There may be no impersonation going on. ... attempted use of a disabled account would produce messages about "account foo login fail" ... SecureWorks was still reading email addressed to David Maynor. ...
    (Full-Disclosure)
  • Re: Impersonation
    ... impersonation, unless you actually need to be userX for some file operation, ... I also wonder why folks always talk about using a seperate account DB. ... I know the diference between IIS and WSE authentication mecanism. ... >>> where I need to check password in UsernameTokenManager for that I need ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Problem with Protocol Transition
    ... I set up a domain account called DPool and gave it act as part of the ... then the token is impersonation level. ... Joe Kaplan-MS MVP Directory Services Programming ... I'm just setting httpcontext.current.user to be a new WindowsIdentity ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: How to Stop a Service From Impersonating Other Users
    ... The service can request the user token based on the SID as input, ... that by impersonating the user and assuming their security context, ... > I believe you are misusing the term "impersonation" ... > sid of the account in order to obtain a user token for that account. ...
    (microsoft.public.windows.server.security)