Re: CreateProcessAsUser "loses" privileges, why?

You can google for "non enabled privileges are stripped" in the `groups`
section
to see some posts that explains the difference and the reason.

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"Stefan Kuhr" <kustt110@xxxxxx> wrote in message
news:4268C11D.4F16D95C@xxxxxxxxx
> Hi Pavel,
>
> Pavel Lebedinsky wrote:
> >
> > What OS is this?
>
> I tested on XP SP2, W2K SP4 and NT4 SP6. All these OS versions exhibit
> the same behaviour. It seems like the process started via CPAU has only
> those privileges that are enabled by default
> (SE_PRIVILEGE_ENABLED_BY_DEFAULT) in the client token. All other
> privileges are non-existent in the token of this process. I also tried
> (on XP only) to enable the SE_DEBUG_NAME privilege in the client token
> before connecting to the named pipe, but this didn't change anything.
>
>
> > [..]] Do you also see missing privileges if you start a
> > process with runas?
>
> No, runas works lika charm.
>
> My current solution to the problem is to pass as part of the named pipe
> conversation the PID of the client process to the server. At the server
> end, I then open the process handle and the access token of the client
> process and also impersonate it. I then compare the access token I
> opened and the impersonation token (see if their user and group SID are
> the same) and if both match, start the process with CPAU, but not with
> the (duplicated primary) token from impersonation as before, but instead
> with the access token that I got from opening the process token via PID.
>
> Comparing the token and doing the impersonation anyway seems overkill,
> but this way I can prevent some malicious user from spoofing the server
> by sending an arbitrary PID of a highly privileged process across the
> named pipe which it would then blindly open and create a process in that
> context.
>
> Am I doing sth wrong or is there really no solution that is a bit more
> elegant? Can anyone confirm that the token of a process created by CPAU
> is always missing the privileges if it is created from a duplicated
> impersonation token?
>
> TIA,
>
> --
> Stefan


.

Relevant Pages

  • Re: CreateProcessAsUser "loses" privileges, why?
    ... impersonation that happens via SSPI does not strip privilegs (since it ... while impersonation that happens by the kernel trusting itself, ... (since it does not require authentication). ... The rationale being that across a network authentication hop privileges may ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Administrator elevation via RPC fails on Vista, why?
    ... any privileges that are in the token but not enabled get stripped away ... across impersonation boundaries, so - you might try turning on all ... These two label SIDs can ...
    (microsoft.public.win32.programmer.kernel)
  • Re: CreateProcessAsUser "loses" privileges, why?
    ... It seems like the process started via CPAU has only ... privileges are non-existent in the token of this process. ... conversation the PID of the client process to the server. ... the token from impersonation as before, ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Logging, Login API and SSPI
    ... the log files would be created/written under his credentials. ... but the problem is that login API and SSPI can require ... work properly (The impersonation level does not allow resource access). ... SSPI doesn't require elevated privileges. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: CGI apps break after DCPROMO an IIS6 server
    ... This is one of those things different on a DC vs a member server in regards ... The "built in" accounts have the minimum and necessary privileges to run ... >privileges listed in F1-help of IIS Manager UI required ...
    (microsoft.public.inetserver.iis.security)