Full Disclosure mailing list archives
Re: Question for the Windows pros
From: Paul Schmehl <pauls () utdallas edu>
Date: Wed, 18 Jan 2006 13:55:29 -0600
--On Wednesday, January 18, 2006 13:25:55 -0600 Yvan Boily <yboily () gmail com> wrote:
This is incorrect. The privilege exists *and* functions on the Workstation operating systems Win2000 SP4 *and* WinXP. I have verified this through testing.The explanations on MS's site are vague enough that they're meaningless. What services running on Windows allow clients to access them? And if they do, do they restrict access to the Local Machine? Or do they allow Remote Access? (For example, RPC is clearly remote. Is the Windows Time service?)Actually, the explanations are not vague or meaningless. It just helps to have an understanding of what this privilege governs. Lets start with the fact that in essence it only applies to Server operating systems, and only to Windows 2000 SP4, or Windows 2003.
I've already been there and read the page - several times. I understand *in general* what an impersonation privilege is. I need to know *specifically* what "server's clients" can be impersonated when this privilege is applied to an account. So far, I've found nothing on the web that even attempts to address that issue.http://msdn.microsoft.com/library/default.asp?url=/library/en- us/secauthz/security/authorization_constants.asp
That's somewhat helpful, in a general way, but still doesn't answer my question.Mike Howard also demonstrates the technique here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/h tml/secure03132003.asp
Which is what I meant by clearly remote. IOW, it's capable of accessing resources remotely.RPC is not clearly remote. It is merely a mechanism which is capable of delivering remote calls.
Unfortunately, it has not. Again, I understand *in general* what impersonation is, how it works and what it can mean in terms of security.According to MSDN this is a list of API that require SeImpersonatePrivelege: RpcImpersonateClient ImpersonateAnonymousToken ImpersonateClient ImpersonateLoggedOnUser ImpersonateSecurityContext RpcGetAuthorizationContextForClient Reading the API, and the MSDN Documentation on IMpersonation and Delegation should illuminate this issue.
I am looking *specifically* for what a user who has the privilege Impersonate a client after authentication has the right to do. Does it mean that *anything* that user runs runs under his/her privileges? Does it mean only *local* processes are affected? Does it mean a hacker can access the machine remotely and run under the user's privileges?
IOW, if I have a domain account name "Joe", and I grant "Joe" this privilege, what is placed at risk? The local machine he's logged in to? The entire domain? Only certain services? Saying it's a high risk (like ISS does) and then not defining *precisely* what the risks are is not helpful.
And all I was really asking for is pointers to any white papers or conference presentations that even attempt to illuminate this issue.
It's looking like there are none.
The short story is though, that any case where any process or thread will execute, either locally or remotely, under another users security context, impersonation is required.
Can you name one? For example, is the RPC Locater Service affected by this privilege?
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Question for the Windows pros Paul Schmehl (Jan 18)
- Re: Question for the Windows pros Stuart Dunkeld (Jan 18)
- Re: Question for the Windows pros Paul Schmehl (Jan 18)
- Re: Question for the Windows pros Frank Knobbe (Jan 18)
- Re: Question for the Windows pros Paul Schmehl (Jan 18)
- Re: Question for the Windows pros Yvan Boily (Jan 18)
- Re: Question for the Windows pros Paul Schmehl (Jan 18)
- Re: Question for the Windows pros Dave Korn (Jan 19)
- Re: Question for the Windows pros Paul Schmehl (Jan 18)
- Re: Question for the Windows pros Frank Knobbe (Jan 18)
- Re: Question for the Windows pros Paul Schmehl (Jan 18)
- Re: Question for the Windows pros Frank Knobbe (Jan 18)
- Re: Question for the Windows pros Paul Schmehl (Jan 18)
- Re: Question for the Windows pros Bernhard Mueller (Jan 18)
- Re: Question for the Windows pros Paul Schmehl (Jan 19)
- Re: Question for the Windows pros Stuart Dunkeld (Jan 18)
- Re: Question for the Windows pros Dave Korn (Jan 19)
- Re: Question for the Windows pros Dave Korn (Jan 19)
- Re: Re: Question for the Windows pros Paul Schmehl (Jan 19)