|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
token elevationCan I elevate the rights of a delegated user token?
I have a .net service running in LocalSystem context, that is called from a user context program via IPC. The service has a copy of the user token and can impersonate the user when required. My problem is that my service either runs as LocalSystem or as the user; what I really need is to impersonate the user *with the LocalSystem rights included*. Can I in some way add the LocalSystem rights to the delegated user token without adding the user account to the local Administrators group? This could possibly be done by adding the system or administrators sid to the delegated user token (not to the user account itself), but I can't find any class that can do this. Is it in any way possible to do this? You can't do this in .NET, but might be able to do something like this with
the low level token APIs by virtue of the fact that you are running as SYSTEM. Are you sure you want to do this though? The design sounds very strange. Perhaps it would be better to not impersonate the user for the operations that require system and just let system do the work? Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "Scewbedew" <Scewbe***@discussions.microsoft.com> wrote in message news:F715EEDD-EF34-421E-A131-B0963B4B02F5@microsoft.com... > Can I elevate the rights of a delegated user token? > > I have a .net service running in LocalSystem context, that is called from > a > user context program via IPC. The service has a copy of the user token and > can impersonate the user when required. > > My problem is that my service either runs as LocalSystem or as the user; > what I really need is to impersonate the user *with the LocalSystem rights > included*. Can I in some way add the LocalSystem rights to the delegated > user > token without adding the user account to the local Administrators group? > > This could possibly be done by adding the system or administrators sid to > the delegated user token (not to the user account itself), but I can't > find > any class that can do this. > > Is it in any way possible to do this? My initial intention was to run everything in the SYSTEM context, but ran
into problems when my service required access to network files. My service requires SYSTEM rights and cannot run as NetworkService. I haven't found a way to access the network files using the delegated user token while still running in SYSTEM context locally, but I'd be more than happy to implement such a solution. The idea of elevating the rights of the user token was my final(?) hope of finding a solution to my network access problem. Show quoteHide quote "Joe Kaplan" wrote: > You can't do this in .NET, but might be able to do something like this with > the low level token APIs by virtue of the fact that you are running as > SYSTEM. Are you sure you want to do this though? The design sounds very > strange. Perhaps it would be better to not impersonate the user for the > operations that require system and just let system do the work? > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "Scewbedew" <Scewbe***@discussions.microsoft.com> wrote in message > news:F715EEDD-EF34-421E-A131-B0963B4B02F5@microsoft.com... > > Can I elevate the rights of a delegated user token? > > > > I have a .net service running in LocalSystem context, that is called from > > a > > user context program via IPC. The service has a copy of the user token and > > can impersonate the user when required. > > > > My problem is that my service either runs as LocalSystem or as the user; > > what I really need is to impersonate the user *with the LocalSystem rights > > included*. Can I in some way add the LocalSystem rights to the delegated > > user > > token without adding the user account to the local Administrators group? > > > > This could possibly be done by adding the system or administrators sid to > > the delegated user token (not to the user account itself), but I can't > > find > > any class that can do this. > > > > Is it in any way possible to do this? > > > If you enable Kerberos delegation correctly, you should be able to
impersonate the authenticated user to access the remote network files with the user's security context. You could also do your impersonation programmatically so that some of your operations were conducted with the SYSTEM account. Do you know if you have Kerberos delegation enabled for the machine account? That is the account that delegation will be applied to when the SYSTEM account attempts to access network resources. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "Scewbedew" <Scewbe***@discussions.microsoft.com> wrote in message news:A937FD24-0F25-4BA9-A41E-56D2ABDF7316@microsoft.com... > My initial intention was to run everything in the SYSTEM context, but ran > into problems when my service required access to network files. My service > requires SYSTEM rights and cannot run as NetworkService. > > I haven't found a way to access the network files using the delegated user > token while still running in SYSTEM context locally, but I'd be more than > happy to implement such a solution. > > The idea of elevating the rights of the user token was my final(?) hope of > finding a solution to my network access problem. > > "Joe Kaplan" wrote: > >> You can't do this in .NET, but might be able to do something like this >> with >> the low level token APIs by virtue of the fact that you are running as >> SYSTEM. Are you sure you want to do this though? The design sounds very >> strange. Perhaps it would be better to not impersonate the user for the >> operations that require system and just let system do the work? >> >> Joe K. >> >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >> "Scewbedew" <Scewbe***@discussions.microsoft.com> wrote in message >> news:F715EEDD-EF34-421E-A131-B0963B4B02F5@microsoft.com... >> > Can I elevate the rights of a delegated user token? >> > >> > I have a .net service running in LocalSystem context, that is called >> > from >> > a >> > user context program via IPC. The service has a copy of the user token >> > and >> > can impersonate the user when required. >> > >> > My problem is that my service either runs as LocalSystem or as the >> > user; >> > what I really need is to impersonate the user *with the LocalSystem >> > rights >> > included*. Can I in some way add the LocalSystem rights to the >> > delegated >> > user >> > token without adding the user account to the local Administrators >> > group? >> > >> > This could possibly be done by adding the system or administrators sid >> > to >> > the delegated user token (not to the user account itself), but I can't >> > find >> > any class that can do this. >> > >> > Is it in any way possible to do this? >> >> >> 
Other interesting topics
Impersonating when creating a process from inside a SQL Server Assembly
GetOwner and IdentityNotMappedException SecurityException: Request failed in LoadControl AES with SslStream Recognising user by their Network login Config Info in DMZ Thread.CurrentPrincipal still returns GenericPrincipal Extract Public Key From certificate and RSACryptoServiceProvider Encrypt custom ConfigurationSection in .Net 2.0 Making web services secure |
|||||||||||||||||||||||
