FW: "Trusted for Delegation" in W2k

["Darryl W. Malcolm" <DMalcolm () acuent com>]

>  -----Original Message-----
> From:         Anthony Paulina  
> Sent: Wednesday, January 08, 2003 11:00 AM
> To:   Darryl  W. Malcolm; Roy Gehrig
> Subject:      RE: "Trusted for Delegation" in W2k
>
> Very Risky, Don't do it. That setting will allow all services that run
> under the LocalSystem account to communicate to remote computers. Without
> that setting, the only way a service can communicate directly to a remote
> computer is to change the service to run with a logged on user ID,
> commonly called a service account.
>
>
> From TechNet article
> <http://support.microsoft.com/default.aspx?scid=kb;en-us;325894#5>
>
> "Understanding Delegation
> Delegation is the act of allowing a service to impersonate a user account
> or a computer account to access resources throughout the network. In an
> N-tier program, the user authenticates to a middle-tier service. The
> middle-tier service authenticates to a back-end data server on behalf of
> the user. 
>
> Delegation depends on the middle-tier service that is being trusted for
> delegation. If the server is set to Trusted for delegation, the service
> can impersonate a user to use other network services. For example, a user
> runs a Web program and that Web program uses several different SQL
> databases that exist on different servers. When the user authenticates to
> a server (the front-end server) that is trusted for delegation, the server
> can access the SQL database on the other servers as the user. Because the
> server that is trusted for delegation has the user's ticket-granting
> ticket (TGT), it can authenticate to any service on the network. As a
> result, this setting is not a secure setting. In the Windows .NET Server
> family, you can control the services that can impersonate the user by
> using constrained delegation."
>
> Anthony Paulina
> Acuent Inc
> 199 Cherry Hill Rd.
> Parsippany, NJ 07054
> email: apaulina () acuent com
> Phone: (973)541-4285
> Fax: (973)541-2540
>
> -----Original Message-----
> From: Darryl W. Malcolm 
> Sent: Wednesday, January 08, 2003 10:25 AM
> To: Roy Gehrig; Anthony Paulina
> Subject: FW: "Trusted for Delegation" in W2k
>
>
>
> -----Original Message-----
> From: Teodorski, Chris [mailto:cteodorski () ppg com]
> Sent: Monday, January 06, 2003 2:27 PM
> To: '
> Subject: "Trusted for Delegation" in W2k
>
>
> Hello all,
>  
> I have a Win2k Domain Controller and a Win2K web server.........if I trust
> the web server for delegation....what security issues will I be exposing
> myself to?
>  
> Any advice, input would be appreciated.
>  
> Thanks,
>  
> Chris