|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
security and pipes explainedsorry for posting to more than one group, but I simply don't know exactly which one would be suited best, since it involves programming and bvasic explanation (from a security administration point of view) of that topic as well I'm a win32 developper but new to security related things in Win32. I've a server and a client application where the server sets up a named pipe and writes some importand value for the client to it if the client connects. I've two PCs to test with, one in on our company network, that it within a domain and has a 2nd network card. The other PC (both XP prof.) is on a private peer to peer network connected to the 2nd NIC of the first PC. If he (the 2nd PC) is the server I can connect from the domain member PC to it with my client. If the domain member is to be the server the other can't connect. He doesn't see the pipe I think because he can't authenticate properly or so. Who can explain this security topic to me in such a detail that I can understand it? When creating the pipe I can assign either no security attributes (so it inherits the ones of the app. I think) or I can specify a NULL security entry which, according to MSDN should give access to everybody, but that's a lie! I can't connect then as well if the domain member PC is going to be the server. It also doesn't work if both, server and client, sit on PCs which belong to the domain. The non domain member PC is currently configured nearly as open as I can imagine (allowing nearly all access). I want to be able to change this, but I fear to break the pipe access then. Greetings Markus Your application is probably attempting to make an anonymous
connection to the named pipe, and in the domain policies, quite correctly, disallow these anonymous connections. There is a policy in the Security Options in group policy that controls this (you will find these in the Network Access category). It is pretty standard to disable all anonymous access these days, so prehaps, if this is your issue, you need to rethink the design of your application's network communications. Show quoteHide quote "Markus Humm" <markus.hu***@freenet.de> wrote in message news:453b9229$0$31573$9b622d9e@news.freenet.de... > Hello, > > sorry for posting to more than one group, but I simply don't know > exactly which one would be suited best, since it involves programming > and bvasic explanation (from a security administration point of view) of > that topic as well > > I'm a win32 developper but new to security related things in Win32. > I've a server and a client application where the server sets up a named > pipe and writes some importand value for the client to it if the client > connects. > > I've two PCs to test with, one in on our company network, that it within > a domain and has a 2nd network card. The other PC (both XP prof.) is on > a private peer to peer network connected to the 2nd NIC of the first PC. > If he (the 2nd PC) is the server I can connect from the domain member PC > to it with my client. If the domain member is to be the server the other > can't connect. He doesn't see the pipe I think because he can't > authenticate properly or so. > > Who can explain this security topic to me in such a detail that I can > understand it? When creating the pipe I can assign either no security > attributes (so it inherits the ones of the app. I think) or I can > specify a NULL security entry which, according to MSDN should give > access to everybody, but that's a lie! I can't connect then as well if > the domain member PC is going to be the server. > > It also doesn't work if both, server and client, sit on PCs which belong > to the domain. The non domain member PC is currently configured nearly > as open as I can imagine (allowing nearly all access). I want to be able > to change this, but I fear to break the pipe access then. > > Greetings > > Markus Additionally check
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx#EMDAE about RPC_RESTRICT_REMOTE_CLIENT_NONE Arkady Show quoteHide quote "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message news:On1bOef9GHA.3396@TK2MSFTNGP04.phx.gbl... > Your application is probably attempting to make an anonymous > connection to the named pipe, and in the domain policies, quite > correctly, disallow these anonymous connections. > There is a policy in the Security Options in group policy that > controls this (you will find these in the Network Access category). > It is pretty standard to disable all anonymous access these days, > so prehaps, if this is your issue, you need to rethink the design of > your application's network communications. > > "Markus Humm" <markus.hu***@freenet.de> wrote in message > news:453b9229$0$31573$9b622d9e@news.freenet.de... >> Hello, >> >> sorry for posting to more than one group, but I simply don't know >> exactly which one would be suited best, since it involves programming >> and bvasic explanation (from a security administration point of view) of >> that topic as well >> >> I'm a win32 developper but new to security related things in Win32. >> I've a server and a client application where the server sets up a named >> pipe and writes some importand value for the client to it if the client >> connects. >> >> I've two PCs to test with, one in on our company network, that it within >> a domain and has a 2nd network card. The other PC (both XP prof.) is on >> a private peer to peer network connected to the 2nd NIC of the first PC. >> If he (the 2nd PC) is the server I can connect from the domain member PC >> to it with my client. If the domain member is to be the server the other >> can't connect. He doesn't see the pipe I think because he can't >> authenticate properly or so. >> >> Who can explain this security topic to me in such a detail that I can >> understand it? When creating the pipe I can assign either no security >> attributes (so it inherits the ones of the app. I think) or I can >> specify a NULL security entry which, according to MSDN should give >> access to everybody, but that's a lie! I can't connect then as well if >> the domain member PC is going to be the server. >> >> It also doesn't work if both, server and client, sit on PCs which belong >> to the domain. The non domain member PC is currently configured nearly >> as open as I can imagine (allowing nearly all access). I want to be able >> to change this, but I fear to break the pipe access then. >> >> Greetings >> >> Markus > > Roger Abell [MVP] schrieb:
> > Your application is probably attempting to make an anonymous OK, I assumed such a this already.> > connection to the named pipe, and in the domain policies, quite > > correctly, disallow these anonymous connections. > > There is a policy in the Security Options in group policy that Okay.> > controls this (you will find these in the Network Access category). > > It is pretty standard to disable all anonymous access these days, > > so prehaps, if this is your issue, you need to rethink the design of Maybe yes, but how to make a not annonymus call to that pipe? Is this> > your application's network communications. > > possible? I either didn't yet see any hints to this or I overlooked them thus far. Could you point me into a good direction? Greetings Markus 
Other interesting topics
"Force shutdown from a remote system"
Changing process priorities of normal users Event 26. Your computer may be infected. Unable to access file & print server Windows Authentication security question Account membership changed/dissapeared off welcome screen User Restictions on a Standalone Machine Recover files after using Robocopy /mir command ISA 2000 ie |
|||||||||||||||||||||||
