Re: How to Stop a Service From Impersonating Other Users
From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 11/25/05
- Next message: tequila: "win 2003 AD + exchange problem"
- Previous message: Roger Abell [MVP]: "Re: How to Stop a Service From Impersonating Other Users"
- In reply to: Will: "How to Stop a Service From Impersonating Other Users"
- Next in thread: Will: "Re: How to Stop a Service From Impersonating Other Users"
- Reply: Will: "Re: How to Stop a Service From Impersonating Other Users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 25 Nov 2005 09:36:22 -0700
Getting back to the intent of the initial posting . . .
I find this also to be a rude behavior.
Let's assume that the application must run with System rights in order
to do its work (on access scanning for all accounts, for example).
Is it then appropriate for that code to assume that, since it can, it is
just fine and dandy for it to use the creds of an arbitrary account in
order to go off-box for updates?
In my book no, that is not a well-designed application, at least not
an administrator friendly one. Recognizing the need to be updated,
I would expect the ability to configure this updating behavior, that
would include, does it happen, on what schedule, using what creds,
etc..
If you were to look at how the software operates, what you may
find is that when an account logs into the machine, a separate service
gets started, as that user, and this lives beyond the login sessions,
and this handles the updating functionality.
"Will" <DELETE_westes@earthbroadcast.com> wrote in message
news:X7mdnXQL0_c_XhnenZ2dnUVZ_t-dnZ2d@giganews.com...
>I got a rude surprise after installing McAfee's Managed VirusScan software
> on our network. The McAfee service - without every asking any permission
> or exposing any configuration setting to the admin - simply impersonates
> any
> user who logs into the console of a machine on which it resides, in order
> to
> be able to get Internet access and do downloads of updates. While the
> goal is straightforward and McAfee is a name to trust, it is appalling to
> me
> that they think it is okay to login to a machine at 3am in the morning as
> the Enterprise Administrator and not even get permission to do that!!
>
> How can I stop any service that runs as SYSTEM from being able to
> impersonate any user who logs into a console? And what is really strange
> to me is how can McAfee do this unless they are monitoring the keyboard
> and
> stealing passwords? You can't impersonate a user without the full SID
> and
> password even if you have the privilieges to do so can you?
>
> I need an education on how impersonation works and how its behavior can be
> modified through Group Policy.
>
> --
> Will
>
>
- Next message: tequila: "win 2003 AD + exchange problem"
- Previous message: Roger Abell [MVP]: "Re: How to Stop a Service From Impersonating Other Users"
- In reply to: Will: "How to Stop a Service From Impersonating Other Users"
- Next in thread: Will: "Re: How to Stop a Service From Impersonating Other Users"
- Reply: Will: "Re: How to Stop a Service From Impersonating Other Users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
