*>>** What I find *really* irritating is that DSS apparently doesn't *test* their ideas before issuing them as recommendations. *They* should do the trial and error part, and not use everybody else as their guinea pigs. Grrr.*
+5 *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> *Exploiting Technology for Business Advantage...* * * Signature powered by WiseStamp <http://www.wisestamp.com/email-install> On Thu, Aug 5, 2010 at 11:38 AM, Ben Scott <mailvor...@gmail.com> wrote: > On Wed, Aug 4, 2010 at 9:01 PM, Andrew S. Baker <asbz...@gmail.com> wrote: > >> "Impersonate a client after authentication" ... do not remove > >> the "SERVICE" Special Identity ... > > > > What would cause them to desire the removal of that functionality? > > <snarky> Because "Impersonate" sounds scary. </snarky> > > In all fairness, many of the details of Windows security are very > obscure, poorly-documented, and in some cases, don't actually work. > In many cases, the only way to discover the "right" way to do > something is by trial and error. That's not what one should expect > from an expensive commercial product. > > In this particular case, Microsoft's official guidance[1] states: > > "Assigning this privilege to a user allows programs running on behalf > of that user to impersonate a client. ... Assigning this user right > can be a security risk. Only assign this user right to trusted users. > ... By default, services that are started by the Service Control > Manager have the built-in Service group added to their access tokens. > ... users do not usually need this user right." > > But where does that leave us in practical terms? Does SERVICE count > as a "trusted user"? Plenty of other things in Windows come set to > insecure defaults, maybe this is one of them. > > What I find *really* irritating is that DSS apparently doesn't > *test* their ideas before issuing them as recommendations. *They* > should do the trial and error part, and not use everybody else as > their guinea pigs. Grrr. > > -- Ben > > [1] http://technet.microsoft.com/en-us/library/cc787897%28WS.10%29.aspx > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~