mailing list archives
Re: Question for the Windows pros
From: Paul Schmehl <pauls () utdallas edu>
Date: Wed, 18 Jan 2006 16:16:01 -0600
--On Wednesday, January 18, 2006 14:01:18 -0600 Frank Knobbe
<frank () knobbe us> wrote:
What are you granting them su for? Perhaps for a mail migration utility
that runs as administrator, but assumes the security context of a user
to read email from his mailbox (yeah, admin can do that, this is just an
example). Or for running a script remotely against a user workstation
that sets certain things in the Registry in the user context (to gain
access to the Secure Storage or such).
I think I finally figured out what's going on.
We just got ePO this year. I set it up to install the agents throughout
the enterprise and it succeeded on about 20% of our machines. After
testing, I determined that the user had to be local admin for the agent to
install. So, I looked for an alternative, because most of our users aren't
local admins and never will be.
McAfee offers a custom installer (which you have to create using a wizard)
within which you can embed credentials. The embedded credentials are for
an account that has local admin access. I created the installer, began
testing and discovered that, when the logged on user was a User, the
install failed. Back to the drawing board. Called McAfee support. They
said, "User must have the Impersonate client after authentication"
privilege. I tested it. It worked.
Before I ask for a GPO change, I wanted to know what exposure I have. This
is how I understand the process:
1) Joe, who is a User, launches the custom installer (through a login
2) The install process begins running under Joe's credentials (User)
3) At some point in the install process, elevated privileges are required
4) Joe doesn't have them, but he has the Impersonate privilege.
5) Joe's process requests the credentials embedded in the custom installer
6) Joe's process uses those credentials to complete the install, then
This means that the exposure, when granting the privilege, is as follows:
1) If you can launch a process on the local machine AND
2) The process has embedded credentials that are different from the user
launching the process THEN
3) The user gains those credentials' privileges ***for the length of that
From a hacker standpoint, this means that you would already need elevated
privileges in order to take advantage of the user's right to impersonate.
This is a fairly low risk.
So, why did M$ decide to remove this right from the user? Because it
prevents them from installing software on the box.
OK, shoot holes in my theory.
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/