On 18/01/06, Paul Schmehl <[EMAIL PROTECTED]> wrote: > What are the risks associated with granting Authenticated Users (AD 2003) > the Impersonate client after authentication privilege? I've googled and > read endlessly repetitive explanations for what the privilege is (most of > them nearly incomprehensible), but I have yet to find anyone who > articulates the risks associated with such a change.
"Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels." [1] regards stuartd [1] http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/fe1fb475-4bc8-484b-9828-a096262b54ca.mspx _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/