On Wed, Aug 4, 2010 at 9:01 PM, Andrew S. Baker <asbz...@gmail.com> wrote: >> "Impersonate a client after authentication" ... do not remove >> the "SERVICE" Special Identity ... > > What would cause them to desire the removal of that functionality?
<snarky> Because "Impersonate" sounds scary. </snarky> In all fairness, many of the details of Windows security are very obscure, poorly-documented, and in some cases, don't actually work. In many cases, the only way to discover the "right" way to do something is by trial and error. That's not what one should expect from an expensive commercial product. In this particular case, Microsoft's official guidance[1] states: "Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. ... Assigning this user right can be a security risk. Only assign this user right to trusted users. ... By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. ... users do not usually need this user right." But where does that leave us in practical terms? Does SERVICE count as a "trusted user"? Plenty of other things in Windows come set to insecure defaults, maybe this is one of them. What I find *really* irritating is that DSS apparently doesn't *test* their ideas before issuing them as recommendations. *They* should do the trial and error part, and not use everybody else as their guinea pigs. Grrr. -- Ben [1] http://technet.microsoft.com/en-us/library/cc787897%28WS.10%29.aspx ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
