[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <059EBDA117FFB8D680E2C5BB@utd59514.utdallas.edu>
Date: Wed Jan 18 17:30:57 2006
From: pauls at utdallas.edu (Paul Schmehl)
Subject: Question for the Windows pros
--On Wednesday, January 18, 2006 16:54:38 +0000 Stuart Dunkeld
<stuartd@...il.com> wrote:
> On 18/01/06, Paul Schmehl <pauls@...allas.edu> wrote:
>
>> What are the risks associated with granting Authenticated Users (AD 2003)
>> the Impersonate client after authentication privilege? I've googled and
>> read endlessly repetitive explanations for what the privilege is (most of
>> them nearly incomprehensible), but I have yet to find anyone who
>> articulates the risks associated with such a change.
>
> "Assigning this privilege to a user allows programs running on behalf
> of that user to impersonate a client. Requiring this user right for
> this kind of impersonation prevents an unauthorized user from
> convincing a client to connect (for example, by remote procedure call
> (RPC) or named pipes) to a service that they have created and then
> impersonating that client, which can elevate the unauthorized user's
> permissions to administrative or system levels." [1]
>
I can read. I need to know, from a practical application standpoint, what
does this mean. What are the exposures?
Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
Powered by blists - more mailing lists