Re: CreateProcessAsUser "loses" privileges, why?

As a rule of the thumb:
impersonation that happens via SSPI does not strip privilegs (since it
requires authentication first),
while impersonation that happens by the kernel trusting itself, does strip
privileges
(since it does not require authentication).
The rationale being that across a network authentication hop privileges may
mean nothing.

SSPI is the authentication process that uses
InitialzieSecurityContext/AcceptsSecurityContext/ImpersonateSecurityContext,
and it's used by RPC on top of other transports, by ISA, by
InternetExplorer/IIS4/5/6,
except rpc-over-LRPC, where LPC ports are used.

This may seem even more confusing, but,
you can cross check yourself via `!token` in KD.

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"Stefan Kuhr" <kustt110@xxxxxx> wrote in message
news:426DF791.3391102D@xxxxxxxxx
> Hi Ivan,
>
> "Ivan Brugiolo [MSFT]" wrote:
> >
> > Is the SeDebugPrivilege enabled or not before the CreateProcessAsUser
call ?
> > You can use `!token <handle>` in a recent cdb/ntsd/windbg debugger to
see
> > that.
> >
>
> I placed the code that enables the SE_DEBUG_NAME privilege at the wrong
> place in the client. Rats! It now works, the process created by CPAU
> from the duplicated impersonation token has the SE_DEBUG_NAME privilege.
> Just in case I ever wanted to replace this local named pipe connection
> with an LRPC connection, would anything have to be changed? Again: are
> the rules for stripping privileges from an impersonation token via the
> different impersonation variants (ImpersonateNamedPipeClient,
> RpcImpersonate, ...) documented anywhere?
>
> Thanks for your help, Ivan,
>
> --
> Stefan Kuhr
>
> "Lesen schadet der Dummheit"


.

Relevant Pages

  • Re: Administrator elevation via RPC fails on Vista, why?
    ... any privileges that are in the token but not enabled get stripped away ... across impersonation boundaries, so - you might try turning on all ... These two label SIDs can ...
    (microsoft.public.win32.programmer.kernel)
  • Re: CreateProcessAsUser "loses" privileges, why?
    ... It seems like the process started via CPAU has only ... privileges are non-existent in the token of this process. ... conversation the PID of the client process to the server. ... the token from impersonation as before, ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Logging, Login API and SSPI
    ... the log files would be created/written under his credentials. ... but the problem is that login API and SSPI can require ... work properly (The impersonation level does not allow resource access). ... SSPI doesn't require elevated privileges. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: CreateProcessAsUser "loses" privileges, why?
    ... You can google for "non enabled privileges are stripped" in the `groups` ... > conversation the PID of the client process to the server. ... > the token from impersonation as before, ... > with the access token that I got from opening the process token via PID. ...
    (microsoft.public.win32.programmer.kernel)
  • S/Key keyinit(1) authentication (lack thereof) + sudo(1)
    ... S/Key keyinitauthentication + sudo ... Disable S/Key in favor of OPIE ... higher system privileges (i.e., root). ...
    (Bugtraq)