mailing list archives
Re: Question for the Windows pros
From: Paul Schmehl <pauls () utdallas edu>
Date: Wed, 18 Jan 2006 13:55:29 -0600
--On Wednesday, January 18, 2006 13:25:55 -0600 Yvan Boily
<yboily () gmail com> wrote:
This is incorrect. The privilege exists *and* functions on the Workstation
operating systems Win2000 SP4 *and* WinXP. I have verified this through
The explanations on MS's site are vague enough that they're meaningless.
What services running on Windows allow clients to access them? And if
they do, do they restrict access to the Local Machine? Or do they allow
Remote Access? (For example, RPC is clearly remote. Is the Windows
Actually, the explanations are not vague or meaningless. It just
helps to have an understanding of what this privilege governs. Lets
start with the fact that in essence it only applies to Server
operating systems, and only to Windows 2000 SP4, or Windows 2003.
I've already been there and read the page - several times. I understand
*in general* what an impersonation privilege is. I need to know
*specifically* what "server's clients" can be impersonated when this
privilege is applied to an account. So far, I've found nothing on the web
that even attempts to address that issue.
That's somewhat helpful, in a general way, but still doesn't answer my
Mike Howard also demonstrates the technique here:
Which is what I meant by clearly remote. IOW, it's capable of accessing
RPC is not clearly remote. It is merely a mechanism which is capable
of delivering remote calls.
Unfortunately, it has not. Again, I understand *in general* what
impersonation is, how it works and what it can mean in terms of security.
According to MSDN this is a list of API that require
Reading the API, and the MSDN Documentation on IMpersonation and
Delegation should illuminate this issue.
I am looking *specifically* for what a user who has the privilege
Impersonate a client after authentication has the right to do. Does it
mean that *anything* that user runs runs under his/her privileges? Does it
mean only *local* processes are affected? Does it mean a hacker can access
the machine remotely and run under the user's privileges?
IOW, if I have a domain account name "Joe", and I grant "Joe" this
privilege, what is placed at risk? The local machine he's logged in to?
The entire domain? Only certain services? Saying it's a high risk (like
ISS does) and then not defining *precisely* what the risks are is not
And all I was really asking for is pointers to any white papers or
conference presentations that even attempt to illuminate this issue.
It's looking like there are none.
The short story is though, that any case where any process or thread
will execute, either locally or remotely, under another users security
context, impersonation is required.
Can you name one? For example, is the RPC Locater Service affected by this
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/