Re: Windows NT does not check permissions after HANDLEs are open

[Thor () HammerofGod com]

> permissions. Therefore, if is possible to retain access to an object after
the Create/Owner or an administrator has changed >the ACL simply by
maintaining an open handle. If the requestor is a service or server-program
that is expected to run 24/7 >the object will remain accessible long after
the ACL has been altered [thing ISAPI,extended stored procedures, et al].

I believe that in domain environments, where the "Enforce user logon
restrictions" setting (Under Kerberos Policy) is enabled by default, this
kind of thing is mitigated by forcing a check against the "access computer
from network" permissions each time a session key is requested.  Is that
different than you have found?  I know that a "deny access" works instantly,
but you would then have to take an extra step there...  This worked in my
config, anyway.

Of course, if they were already granted a session key for the resource, then
I think you are right.  You would have to force a disconnect with logon time
restrictions otherwise...  Then again, I wonder what would happen after the
default lifetime for a user ticket expired (10 hours), and the access tokens
were renewed?   Hmmm.

Later man!
AD