Re: Remote process with network access

From: Ivan Brugiolo [MSFT] (ivanbrug_at_online.microsoft.com)
Date: 09/04/04 

Date: Sat, 4 Sep 2004 14:15:41 -0700

You are missing a key concept, that is the transmission of credentials.
Let's say you have 3 machines, WinMgmtClient, WinMgmtServer, FileServer.
If you enter the password on WinMgmtClient,
you are spending your authentication hop against WinMgmtServer.
The second hop is guaranteed by Kerberos via Delegation.
If you have an authentication ifrastructure like SSL + PlainText
credentials,
then you are using a secure channel to transfer plain credentials on
WinMgmtServer,
and then you are anyway trusting the WinMgmtServer to proprly use the
credentials,
to access the FileServer machine, thus performing one authentication hop,
because the first hop is just credentials transmission, not impersonation
propagation
(I hope you get the difference between the two).
For all what you know, in the SSL-style case,
the WinMmgtServer machine could store the credentials in a log file.
If the WinMgmtServer machine is propely locked-down, there is no
reason to flavor and SSL-Style authentication over Delegation. 

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"chris delaney" <chrisdelaney@discussions.microsoft.com> wrote in message
news:C1D60F84-09CE-49EE-B6B1-0F783CFBD025@microsoft.com...
> these are batch jobs that move files around.  the machines are locked down
> properly and i would not want to compromise that.
>
> the way i look at it, if i can provide a userid/pwd that is valid for the
> machine, i should be able to initiate a process on that machine to run
code
> installed on that machine and it should all the rights as if i ran it
> interactively.
>
> thx
>
> "Ivan Brugiolo [MSFT]" wrote:
>
> > The credentials of the account needs to be delegatable
> > and the machine account needs to be trusted for delegation.
> >
> > The only reason I can see for not structing for delegation a machine
account
> > is that the machine is compromiseable, that is, it's easy to have
arbitrary
> > code running as localsystem.
> > If you have code running as localsystem in a machine trusted for
delegation,
> > then, if you can induce an authentication over it (for example,
> > by creating a web server and forcing a user to navigate that web server
> > with non anonymous credentials), then you can impersonate delegat-able
> > credentials,
> > and perform any action on behalf of the user.
> >
> > I guess that your scenario is a corporate network where users are
allowed
> > to log-in as local administraotrs. In this case, delegation is
dangerous.
> >
> > -- 
> > This posting is provided "AS IS" with no warranties, and confers no
rights.
> > Use of any included script samples are subject to the terms specified at
> > http://www.microsoft.com/info/cpyright.htm
> >
> >
> > "Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
> > news:#Kj3xKHkEHA.2544@TK2MSFTNGP10.phx.gbl...
> > > Ivan Brugiolo [MSFT] wrote:
> > > > The only authentication infrastrucutre that supports more than one
hop
> > is
> > > > Kerberos.
> > >
> > > The problem with this (as I see it) is that Kerberos only works over
two
> > > hops after you enable "Delegation" in Active Directory, and no one
does
> > > enable it for security reasons. Even if you did enable it, is it not
the
> > > case that you have to do this for EVERY remote machine you wanted to
> > > work with, or is it only the second hop machine that needs it?
> > >
> > > Either way, none of the above seems like a sensible option to me.
> > >
> > > -- 
> > > Gerry Hickman (London UK)
> >
> >
> >

Relevant Pages

  • Re: Problem establishing SSL connection in code-behind
    ... that isn't a double hop as you have plaintext credentials for the ... If the remote resource was a web app, ... If your goal of this set up is simply to use forms-based authentication to ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Windows authentication
    ... I did not realize that going through a browser on ... the same machine as the web server would introduce the double hop. ... > credentials will not hop to 2 different machines. ...
    (microsoft.public.dotnet.security)
  • Re: Impersonation/Delegation security considerations
    ... Our AD/network guys illustrated a potential security issue using the ... I assume that by delegation you mean passing ... only pass user's credentials to a SQL Server running on the same machine. ... Web site to the CEO ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Impersonation/Delegation security considerations
    ... security risk example. ... delegation you mean passing ... >only pass user's credentials to a SQL Server running on ... >Create a fake internal Web site. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Login failed for user . The user is not associated with a trusted SQL Server connection.
    ... he never mentioned he is impersonating in asp.net - so no delegation needed. ... Cassini runs with the credentials of the interactive user - which seems to have access to sql - in contrast to the local ASPNET account - which i am trying to tell him since 2 days.... ... yes - use explicit credentials and enable mixed mode auth in sql server to get this to work. ...
    (microsoft.public.dotnet.security)