Re: how to pass nt password ?
- From: "Micky" <micky@xxxxxxxxxx>
- Date: Fri, 18 Nov 2005 13:32:55 +0000 (UTC)
"James" <jkklim@xxxxxxxxxxx> wrote in message news:O2mTvx%236FHA.2616@xxxxxxxxxxxxxxxxxxxxxxx
> Perhaps i will explain more.
>
> I run this service monitor application as a thread. Put as eg.
>
> a) i logon in xp, run the service locally on xp1 local machine.
> b) my application will read a list of machines files eg xp1, xp2, xp3, etc
> c) the service application will generate thread pools every x seconds and reach out to other machines having similar
> services and check whether it is started.
> d) if not started on machine xp2 or xp3, it will attempt to start on remote machines.
> e) to start service on remote machines, it needs to impersonate. Thus i used the function - logonuser described below.
> f) the logonuser fucntion requires username, domain and password. I can extract username and domain, but i want my
> password which i logon on xp1 to impersonate on xp2 or xp3 to start the xp2 or xp2 services.
>
> Hope this explains why i want to pass my "password" onto other machines to impersonate.
>
> U see, all msdn documentations expect user to enter username, domain and password to impersonate. I can do it at my
> application, but because it is running as a service, it shld NOT ask user for password.
You didn't mention anything about a service in your OP. That's a different
breed of canine altogether.
Services can have their own credentials. You simply create an account for
your service, with the required credentials, as a post-installation process.
So long as the account exists on the local machine, the service can login.
And provided the credentials are sufficient to control remote machine
services, that's all you need.
For security, the password should be generated randomly (so even you--
the developer--won't know what it is). The password should then be
encrypted and cached in the local machine registry. Remember to use
SecureZeroMemory to clear the password from memory. If the
password should become corrupt, the service administrator should
be given the means to delete the old account and create a new one
in its place.
Once that's done, only the service itself will know its own password,
and only service administrators should be able to run the service itself.
That's the only way to do it without asking the user to supply a
password. A password would only be required if the service is run
under impersonation (with Run As...).
The only other way to do it is to ask the user to enter the impersonation
credentials one time only and immediately cache the details in encrypted
form. However that poses a severe security breach, since any user can
then run the service using elevated credentials. A big no-no!
.
- References:
- how to pass nt password ?
- From: James
- Re: how to pass nt password ?
- From: Micky
- Re: how to pass nt password ?
- From: James
- how to pass nt password ?
- Prev by Date: Re: vb2005 and DAO
- Next by Date: Re: SQL dataset in VB 2005
- Previous by thread: Re: how to pass nt password ?
- Next by thread: Re: how to pass nt password ?
- Index(es):
Relevant Pages
|
