Re: Windows NT does not check permissions after HANDLEs are open

[Blue Boar <BlueBoar () thievco com>]

c0ncept () hushmail com wrote:
>    The component of the NT executive responsible for enforcing ACLs and DACLs is know as the Security Reference 
> Monitor. When a kernel resource is requested, the requested program specifies the type of access it desires. The SRM 
> checks against the access list, and grants the requestor a HANDLE to the object if requestor has appropriate rights.
>     The check against the ACL only occurs when the HANDLE is first opened, however. If a HANDLE is opened and 
> permissions on the objecect subsiquently change, the original requestor of the object retains the original 
> access-permissions. Therefore, if is possible to retain access to an object after the Create/Owner or an 
> administrator has changed the ACL simply by maintaining an open handle. If the requestor is a service or 
> server-program that is expected to run 24/7 the object will remain accessible long after the ACL has been altered 
> [thing ISAPI,extended stored procedures, et al].

I believe this is documented, though perhaps in a different context.  
If you, as a domain admin, have given someone a right, or group
membership, etc... and they log in with that... they hang onto 
it for the entire time they are logged in.  It becomes part of 
the "security token".  You can yank the right, but they hang onto
it until they logout, or you do a forced logout.  This is from 
the MS certification classes.

I think the same applies in your example.  There's probably a way
to force the handle to go away, then they'd have no rights.  Of course,
the program using the handle would probably fall over dead, too...

                                        BB