Re: Can't get something basic to work (WMI)
From: Ivan Brugiolo [MSFT] (ivanbrug_at_online.microsoft.com)
Date: 04/18/04
- Next message: daniel kaplan: "minimize AND hide"
- Previous message: David F: "Is there an elegant way to "automatically" print the enumeration values of an enum group?"
- In reply to: Rob Bolton: "Re: Can't get something basic to work (WMI)"
- Next in thread: Rob Bolton: "Re: Can't get something basic to work (WMI)"
- Reply: Rob Bolton: "Re: Can't get something basic to work (WMI)"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 18 Apr 2004 14:01:56 -0700
It's not a matter of becoming a security expert.
Here is one more scenario that may simply work or simply not work
depending on the authentication infrastructure you have in place.
Internet Explorer authenticates against a corporate WEB server
using Windows Integrate Authentication.
The coprporate WEB server connects to a Database "as-the-IE-Client"
and retrieves data "on-behaf" of the IE client.
You can clearly see 2 authentication hops: IE -> WEB, WEB -> Database.
The second authentication hop can happen only if:
#1 there is a Kerberos Authentication Authority
#2 the web server is trusted for delegation
#3 the credential of the user can be delegated.
You can reformulate this problem for your scenario:
WbemTest.exe -> WinMgmt; WinMgmt -> RemoteFileServer.
And the very same conditions as before apply.
It's really irrelevant if the transport of the authentication
is HTTP in the first hop in the first example,
SSNET in the second hop (SSNET is the OLEDB protocol).
It's really irrelevant if the transport of the authentication is
RPC-over-TCP in the first hop in the second example,
and CIFS in the second hop in the second example.
Only after you've authenticated you can authorize.
That is, only after you have re-built the identity of the user
on the remote machine you can think about applying
privilege check and access-check.
Unfortunately,
as Euclid answered to Ptolemy, there is no royal way to security.
-- This posting is provided "AS IS" with no warranties, and confers no rights. Use of any included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "Rob Bolton" <_nospam@_nospam.com> wrote in message news:uNcKohXJEHA.3412@TK2MSFTNGP09.phx.gbl... > I appreciate your on-going help (and everyone else's). My ultimate goal is > to run a remote 3rd-party (command line) utility that will copy data from a > DB back to my machine. Before tackling this however, I'm simply trying to > invoke "xcopy.exe" on the remote box to copy something back to my own > machine as a test case (to establish the basic technique). I will explore > what you and everyone else has said in further detail but you can confirm > this is doable? I've tried coding it as per the link I previously posted > which appears as if it should work based on my investigation. If it is in > fact a security issue however (no surprise there), well security is a deep > subject of course and frequently difficult to unravel. And while I'm > extremely familiar with the basic Windows security model (security > descriptors, privileges, etc.), many issues such as this aren't clearly > documented. So the fact that my test code is running error free yet nothing > is getting copied (the same code works locally however), well, you can > understand my frustration (and note that I've been programming on MS > platforms for 20 years - I shouldn't have to become a security expert to > figure this out). Thanks again. > >
- Next message: daniel kaplan: "minimize AND hide"
- Previous message: David F: "Is there an elegant way to "automatically" print the enumeration values of an enum group?"
- In reply to: Rob Bolton: "Re: Can't get something basic to work (WMI)"
- Next in thread: Rob Bolton: "Re: Can't get something basic to work (WMI)"
- Reply: Rob Bolton: "Re: Can't get something basic to work (WMI)"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
