Re: FYI: SERVICE needs Impersonate a client after authentication

Thu, 05 Aug 2010 09:08:27 -0700 

*>>** What I find *really* irritating is that DSS apparently doesn't *test*
their ideas before issuing them as recommendations.  *They* should do the
trial and error part, and not use everybody else as their guinea pigs.
 Grrr.*

+5



*ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker>
*Exploiting Technology for Business Advantage...*
* *
Signature powered by WiseStamp <http://www.wisestamp.com/email-install>


On Thu, Aug 5, 2010 at 11:38 AM, Ben Scott <mailvor...@gmail.com> wrote:

> On Wed, Aug 4, 2010 at 9:01 PM, Andrew S. Baker <asbz...@gmail.com> wrote:
> >> "Impersonate a client after authentication" ... do not remove
> >> the "SERVICE" Special Identity ...
> >
> > What would cause them to desire the removal of that functionality?
>
>   <snarky> Because "Impersonate" sounds scary. </snarky>
>
>  In all fairness, many of the details of Windows security are very
> obscure, poorly-documented, and in some cases, don't actually work.
> In many cases, the only way to discover the "right" way to do
> something is by trial and error.  That's not what one should expect
> from an expensive commercial product.
>
>  In this particular case, Microsoft's official guidance[1] states:
>
> "Assigning this privilege to a user allows programs running on behalf
> of that user to impersonate a client.  ... Assigning this user right
> can be a security risk. Only assign this user right to trusted users.
> ... By default, services that are started by the Service Control
> Manager have the built-in Service group added to their access tokens.
> ... users do not usually need this user right."
>
>  But where does that leave us in practical terms?  Does SERVICE count
> as a "trusted user"?  Plenty of other things in Windows come set to
> insecure defaults, maybe this is one of them.
>
>  What I find *really* irritating is that DSS apparently doesn't
> *test* their ideas before issuing them as recommendations.  *They*
> should do the trial and error part, and not use everybody else as
> their guinea pigs.  Grrr.
>
> -- Ben
>
> [1] http://technet.microsoft.com/en-us/library/cc787897%28WS.10%29.aspx
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Reply via email to