> I've written a Windows Service in .NET that performs Administrative
> tasks on remote systems.  The service runs under credentials that have
> domain admin rights on the DEV domain.
>
> A client (who does not have trusts established between domains) has
> requested that I install my service in their environment with one
> catch : it should perform its tasks across systems in 20 domains from
> the same central server.
>
> Aside from re-writing the code to allow 20 different services run
> side-by-side on my server, does anyone have tips on how I could
> accomplish this multi-domain approach without compromising security?
> I realize that it would probably be relatively straightforward to
> launch new threads under various credentials -- but that would require
> that I actually store 20 different usernames & passwords somewhere.  I
> could encrypt the credentials with DPAPI or AES, but I would prefer to
> leave credential management to Windows, if at all possible.
>

"Dominick Baier [DevelopMentor]" wrote:

> Hello Jerry,
>
> run your service under an account that has the needed privs in all 20 domains
> (i assume there is a trust path between all domains)
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > I've written a Windows Service in .NET that performs Administrative
> > tasks on remote systems.  The service runs under credentials that have
> > domain admin rights on the DEV domain.
> >
> > A client (who does not have trusts established between domains) has
> > requested that I install my service in their environment with one
> > catch : it should perform its tasks across systems in 20 domains from
> > the same central server.
> >
> > Aside from re-writing the code to allow 20 different services run
> > side-by-side on my server, does anyone have tips on how I could
> > accomplish this multi-domain approach without compromising security?
> > I realize that it would probably be relatively straightforward to
> > launch new threads under various credentials -- but that would require
> > that I actually store 20 different usernames & passwords somewhere.  I
> > could encrypt the credentials with DPAPI or AES, but I would prefer to
> > leave credential management to Windows, if at all possible.
> >
>
>
>
>

> I'm told that I cannot rely on there being a trust path between any of
> the domains, let alone all 20.  In my opinion this design & approach
> is nuts, but the client is demanding it...
>
> "Dominick Baier [DevelopMentor]" wrote:
>
>> Hello Jerry,
>>
>> run your service under an account that has the needed privs in all 20
>> domains (i assume there is a trust path between all domains)
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> I've written a Windows Service in .NET that performs Administrative
>>> tasks on remote systems.  The service runs under credentials that
>>> have domain admin rights on the DEV domain.
>>>
>>> A client (who does not have trusts established between domains) has
>>> requested that I install my service in their environment with one
>>> catch : it should perform its tasks across systems in 20 domains
>>> from the same central server.
>>>
>>> Aside from re-writing the code to allow 20 different services run
>>> side-by-side on my server, does anyone have tips on how I could
>>> accomplish this multi-domain approach without compromising security?
>>> I realize that it would probably be relatively straightforward to
>>> launch new threads under various credentials -- but that would
>>> require
>>> that I actually store 20 different usernames & passwords somewhere.
>>> I
>>> could encrypt the credentials with DPAPI or AES, but I would prefer
>>> to
>>> leave credential management to Windows, if at all possible.

"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
wrote in message news:460219632537783055220349@news.microsoft.com...
> Hello Jerry,
>
> ok - so if you have to do that - store the usernames/password in a data
> store and encrypt them with DPAPI [1] - then use LogonUser and impersonate
> the user and perform the admin functions in the impersonated context (be
> aware that impersonation tokens are not copied to spawned threads in 1.1 -
> if you consider this design)
>
> [1]
> http://www.leastprivilege.com/PermaLink.aspx?guid=ebd9956e-a36c-4b57-8d58-6ff79a60e43f
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> I'm told that I cannot rely on there being a trust path between any of
>> the domains, let alone all 20.  In my opinion this design & approach
>> is nuts, but the client is demanding it...
>>
>> "Dominick Baier [DevelopMentor]" wrote:
>>
>>> Hello Jerry,
>>>
>>> run your service under an account that has the needed privs in all 20
>>> domains (i assume there is a trust path between all domains)
>>>
>>> ---------------------------------------
>>> Dominick Baier - DevelopMentor
>>> http://www.leastprivilege.com
>>>> I've written a Windows Service in .NET that performs Administrative
>>>> tasks on remote systems.  The service runs under credentials that
>>>> have domain admin rights on the DEV domain.
>>>>
>>>> A client (who does not have trusts established between domains) has
>>>> requested that I install my service in their environment with one
>>>> catch : it should perform its tasks across systems in 20 domains
>>>> from the same central server.
>>>>
>>>> Aside from re-writing the code to allow 20 different services run
>>>> side-by-side on my server, does anyone have tips on how I could
>>>> accomplish this multi-domain approach without compromising security?
>>>> I realize that it would probably be relatively straightforward to
>>>> launch new threads under various credentials -- but that would
>>>> require
>>>> that I actually store 20 different usernames & passwords somewhere.
>>>> I
>>>> could encrypt the credentials with DPAPI or AES, but I would prefer
>>>> to
>>>> leave credential management to Windows, if at all possible.
>
>
>

> Isn't he going to have an issue with calling LogonUser to impersonate
> if the trusts aren't in place in the first place?  It would seem like
> it would be impossible to run this all on one server if it is
> impossible to log on to the box with the other domain's credentials in
> the first place.
>
> I actually like Dominick's first suggestion best (use an account from
> one domain with the correct permissions in the other domains), but if
> that won't work, the other approach sounds questionable too.
>
> Joe K.
>
> "Dominick Baier [DevelopMentor]"
> <dbaier@pleasepleasenospamdevelop.com> wrote in message
> news:460219632537783055220349@news.microsoft.com...
>
>> Hello Jerry,
>>
>> ok - so if you have to do that - store the usernames/password in a
>> data store and encrypt them with DPAPI [1] - then use LogonUser and
>> impersonate the user and perform the admin functions in the
>> impersonated context (be aware that impersonation tokens are not
>> copied to spawned threads in 1.1 - if you consider this design)
>>
>> [1]
>> http://www.leastprivilege.com/PermaLink.aspx?guid=ebd9956e-a36c-4b57-
>> 8d58-6ff79a60e43f
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> I'm told that I cannot rely on there being a trust path between any
>>> of the domains, let alone all 20.  In my opinion this design &
>>> approach is nuts, but the client is demanding it...
>>>
>>> "Dominick Baier [DevelopMentor]" wrote:
>>>
>>>> Hello Jerry,
>>>>
>>>> run your service under an account that has the needed privs in all
>>>> 20 domains (i assume there is a trust path between all domains)
>>>>
>>>> ---------------------------------------
>>>> Dominick Baier - DevelopMentor
>>>> http://www.leastprivilege.com
>>>>> I've written a Windows Service in .NET that performs
>>>>> Administrative tasks on remote systems.  The service runs under
>>>>> credentials that have domain admin rights on the DEV domain.
>>>>>
>>>>> A client (who does not have trusts established between domains)
>>>>> has requested that I install my service in their environment with
>>>>> one catch : it should perform its tasks across systems in 20
>>>>> domains from the same central server.
>>>>>
>>>>> Aside from re-writing the code to allow 20 different services run
>>>>> side-by-side on my server, does anyone have tips on how I could
>>>>> accomplish this multi-domain approach without compromising
>>>>> security?
>>>>> I realize that it would probably be relatively straightforward to
>>>>> launch new threads under various credentials -- but that would
>>>>> require
>>>>> that I actually store 20 different usernames & passwords
>>>>> somewhere.
>>>>> I
>>>>> could encrypt the credentials with DPAPI or AES, but I would
>>>>> prefer
>>>>> to
>>>>> leave credential management to Windows, if at all possible.

> I've written a Windows Service in .NET that performs Administrative
> tasks on remote systems.  The service runs under credentials that have
> domain admin rights on the DEV domain.
>
> A client (who does not have trusts established between domains) has
> requested that I install my service in their environment with one
> catch : it should perform its tasks across systems in 20 domains from
> the same central server.
>
> Aside from re-writing the code to allow 20 different services run
> side-by-side on my server, does anyone have tips on how I could
> accomplish this multi-domain approach without compromising security?
> I realize that it would probably be relatively straightforward to
> launch new threads under various credentials -- but that would require
> that I actually store 20 different usernames & passwords somewhere.  I
> could encrypt the credentials with DPAPI or AES, but I would prefer to
> leave credential management to Windows, if at all possible.
>