Re: How to Stop a Service From Impersonating Other Users

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 11/25/05 

Date: Fri, 25 Nov 2005 09:07:19 -0700

Will,

Some long reading in MSDN library would be your best friend here.
The difference to keep in sight is whether SE_TCB_NAME right is
or is not required for an API. This is the Act as part of the OS right
which Slav pointed out earlier.

If you were to look at the "impersonation" functions in the API they
rely on one already having obtained a user token of the account that
a spawned process is going to run under (i.e. impersonate).
In order for your scenario to be doing impersonation it means that
the service has been holding such a token for the account, which
means that the account has been kept logged in (even though to the
user of the machine they believe they logged off) as not all tokens
have been disposed.

It is my understanding that with SE_TCB_NAME rights one can
do more in the way of originating or modifying an existing user token
than what you will find covered in the public APIs. A process without
the right can only causes a process to run in the context of a different
account by impersonating that account, which means it has somehow
obtained a token for that account such as by being handed it by the
account in a call to the service or such as by having the account name
and password in order to do a UserLogonEx to get a token.

"Will" <DELETE_westes@earthbroadcast.com> wrote in message
news:luudnQlfFY6GgRvenZ2dnUVZ_sydnZ2d@giganews.com...
> So mechanically can you spell out the steps by which a service that does
> run
> as SYSTEM could use a user token of a user who has logged into that
> console
> to do a separate login on its own at 3am, when no one is logged into the
> console of the computer?
>
> 1) The service can monitor for interactive logins. That probably gives
> it
> the SID.
>
> 2) The service can request the user token based on the SID as input, and
> now
> it has that information.
>
> 3) Now the service does what with that user token to run in that user's
> security context when no one is logged into the machine?
>
> The Windows NT / 2000 programming APIs contain functions that have the
> word
> 'impersonation' in them. If I am misunderstanding what that word means,
> I
> would ask you to define what Microsoft meant by the word. The behavior I
> am seeing in sniffer and eventviewer logs unquestionably documents that a
> service running as SYSTEM on a specific computer is getting access to the
> Internet at times when no one is logged into the console. It can only do
> that by impersonating the user and assuming their security context,
> because
> our firewall only allows outgoing connections to the Internet from
> specific
> domain-authenticated userids (the firewall is verifying the credentials
> with
> the domain controller independently).
>
> --
> Will
>
>
> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> news:uJYpZOP8FHA.2132@TK2MSFTNGP10.phx.gbl...
>> I believe you are misusing the term "impersonation"
>> To impersonate a different principal what is needed is the
>> user token of that principal usually obtained from a process
>> running in context of that principal. The account that does
>> the impersonation needs to be flagged as trusted to impersonate.
>> System, acting as part of the trusted computing base of the OS
>> is not doing impersonation. It is simply using the name of or
>> sid of the account in order to obtain a user token for that account.
>
>

Relevant Pages

  • Re: SetPassword access denied
    ... safely invoke SetPassword etc..... ... impersonation or using the process token without impersonation) is NOT ... account that is used for performing remote activities in the directory. ... Co-author of "The .NET Developer's Guide to Directory Services ...
    (microsoft.public.windows.server.active_directory)
  • Re: VS.NET 2005 and the "allowDefinition=MachineToApplication" error
    ... Your description of impersonation is great. ... If you want to use the default configured account, eliminate that entry, or configure it as: ... The easiest way to assign correct permissions to all required directories is to run: ... I re-started IIS and tried to access my ASPX page again -- same ...
    (microsoft.public.dotnet.framework.aspnet)
  • [Full-disclosure] Maybe nothing so shady; depends on the motive.
    ... There may be no impersonation going on. ... attempted use of a disabled account would produce messages about "account foo login fail" ... SecureWorks was still reading email addressed to David Maynor. ...
    (Full-Disclosure)
  • Re: SetPassword access denied
    ... That said, I think one thing worth pointing out is that in both cases here, your code is supplying credentials to the DirectoryEntry constructor. ... the identity of the current thread (established either via impersonation or using the process token without impersonation) is NOT the account that is used for performing remote activities in the directory. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
  • Re: Impersonation
    ... impersonation, unless you actually need to be userX for some file operation, ... I also wonder why folks always talk about using a seperate account DB. ... I know the diference between IIS and WSE authentication mecanism. ... >>> where I need to check password in UsernameTokenManager for that I need ...
    (microsoft.public.dotnet.framework.webservices.enhancements)