[Full-disclosure] Question for the Windows pros
Paul Schmehl
pauls at utdallas.edu
Wed Jan 18 17:30:49 GMT 2006
--On Wednesday, January 18, 2006 16:54:38 +0000 Stuart Dunkeld
<stuartd at gmail.com> wrote:
> On 18/01/06, Paul Schmehl <pauls at utdallas.edu> wrote:
>
>> What are the risks associated with granting Authenticated Users (AD 2003)
>> the Impersonate client after authentication privilege? I've googled and
>> read endlessly repetitive explanations for what the privilege is (most of
>> them nearly incomprehensible), but I have yet to find anyone who
>> articulates the risks associated with such a change.
>
> "Assigning this privilege to a user allows programs running on behalf
> of that user to impersonate a client. Requiring this user right for
> this kind of impersonation prevents an unauthorized user from
> convincing a client to connect (for example, by remote procedure call
> (RPC) or named pipes) to a service that they have created and then
> impersonating that client, which can elevate the unauthorized user's
> permissions to administrative or system levels." [1]
>
I can read. I need to know, from a practical application standpoint, what
does this mean. What are the exposures?
Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
Full-Disclosure is hosted and sponsored by Secunia.