Re: [Full-disclosure] Question for the Windows pros

[Paul Schmehl <pauls@xxxxxxxxxxxx>]

--On Wednesday, January 18, 2006 16:54:38 +0000 Stuart Dunkeld 
<stuartd@xxxxxxxxx> wrote:

> On 18/01/06, Paul Schmehl <pauls@xxxxxxxxxxxx> wrote:
>
> > What are the risks associated with granting Authenticated Users (AD 2003)
> > the Impersonate client after authentication privilege?  I've googled and
> > read endlessly repetitive explanations for what the privilege is (most of
> > them nearly incomprehensible), but I have yet to find anyone who
> > articulates the risks associated with such a change.
>
> "Assigning this privilege to a user allows programs running on behalf
> of that user to impersonate a client. Requiring this user right for
> this kind of impersonation prevents an unauthorized user from
> convincing a client to connect (for example, by remote procedure call
> (RPC) or named pipes) to a service that they have created and then
> impersonating that client, which can elevate the unauthorized user's
> permissions to administrative or system levels." [1]
I can read.  I need to know, from a practical application standpoint, what 
does this mean.  What are the exposures?

Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/