Re: Question for the Windows pros

[Paul Schmehl <pauls () utdallas edu>]

--On Wednesday, January 18, 2006 13:25:55 -0600 Yvan Boily 
<yboily () gmail com> wrote:

> > The explanations on MS's site are vague enough that they're meaningless.
> > What services running on Windows allow clients to access them?  And if
> > they do, do they restrict access to the Local Machine?  Or do they allow
> > Remote Access?  (For example, RPC is clearly remote.  Is the Windows
> > Time service?)
>
> Actually, the explanations are not vague or meaningless.  It just
> helps to have an understanding of what this privilege governs.  Lets
> start with the fact that in essence it only applies to Server
> operating systems, and only to Windows 2000 SP4, or Windows 2003.
This is incorrect.  The privilege exists *and* functions on the Workstation 
operating systems Win2000 SP4 *and* WinXP.  I have verified this through 
testing.

> http://msdn.microsoft.com/library/default.asp?url=/library/en-
> us/secauthz/security/authorization_constants.asp
I've already been there and read the page - several times.  I understand 
*in general* what an impersonation privilege is.  I need to know 
*specifically* what "server's clients" can be impersonated when this 
privilege is applied to an account.  So far, I've found nothing on the web 
that even attempts to address that issue.

> Mike Howard also demonstrates the technique here:
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/h
> tml/secure03132003.asp
That's somewhat helpful, in a general way, but still doesn't answer my 
question.

> RPC is not clearly remote.  It is merely a mechanism which is capable
> of delivering remote calls.
Which is what I meant by clearly remote.  IOW, it's capable of accessing 
resources remotely.

> According to MSDN this is a list of API that require
> SeImpersonatePrivelege:
>
> RpcImpersonateClient
> ImpersonateAnonymousToken
> ImpersonateClient
> ImpersonateLoggedOnUser
> ImpersonateSecurityContext
> RpcGetAuthorizationContextForClient
>
> Reading the API, and the MSDN Documentation on IMpersonation and
> Delegation should illuminate this issue.
Unfortunately, it has not.  Again, I understand *in general* what 
impersonation is, how it works and what it can mean in terms of security.

I am looking *specifically* for what a user who has the privilege 
Impersonate a client after authentication has the right to do.  Does it 
mean that *anything* that user runs runs under his/her privileges?  Does it 
mean only *local* processes are affected?  Does it mean a hacker can access 
the machine remotely and run under the user's privileges?

IOW, if I have a domain account name "Joe", and I grant "Joe" this 
privilege, what is placed at risk?  The local machine he's logged in to? 
The entire domain?  Only certain services?  Saying it's a high risk (like 
ISS does) and then not defining *precisely* what the risks are is not 
helpful.

And all I was really asking for is pointers to any white papers or 
conference presentations that even attempt to illuminate this issue.

It's looking like there are none.

> The short story is though, that any case where any process or thread
> will execute, either locally or remotely, under another users security
> context, impersonation is required.

Can you name one?  For example, is the RPC Locater Service affected by this 
privilege?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/