Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / Languages / C# / August 2006

Tip: Looking for answers? Try searching our database.

Can someone please describe why impersonation requires the impersonator to be local admin?

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Daniel - 31 Aug 2006 18:28 GMT
Can someone please describe why impersonation requires the impersonator to
be local admin?
Reply to this Message
Willy Denoyette [MVP] - 31 Aug 2006 18:42 GMT
| Can someone please describe why impersonation requires the impersonator to
| be local admin?

Not sure where you get this from, but you can impersonate any valid user
account, provided you have the right privileges to do so.

Willy.
Reply to this Message
Willy Denoyette [MVP] - 31 Aug 2006 19:25 GMT
|| Can someone please describe why impersonation requires the impersonator to
|| be local admin?
[quoted text clipped - 3 lines]
|
| Willy.

By privilege I mean the "Impersonate after authentication privilege" or
"SeImpersonatePrivilege".
This privilege is per default granted to Administrators and Service accounts
(Localsystem, Local Service, Network Service and optionally Aspnet).
If you need to grant this privilege to other accounts, one can use "Local
Security Policy" editor or do so in code (using PInvoke), but before doing
so, beware of the security implications, regular user accounts should not be
able to impersonate.

Willy.
Reply to this Message
Ignacio Machin ( .NET/ C# MVP ) - 31 Aug 2006 19:08 GMT
Hi,

Impersonation means that the app runs with the permissions of the user
being impersonated.

What would be the use of it if the target user NEEDS to be admin?

I have several web apps that runs under this escenario and the users have no
permissions at all in the server (just to an upload dir).

Give more details about your problem

Signature

--
Ignacio Machin,
ignacio.machin AT dot.state.fl.us
Florida Department Of Transportation

> Can someone please describe why impersonation requires the impersonator to
> be local admin?
Reply to this Message
Ben Voigt - 31 Aug 2006 19:49 GMT
> Hi,
>
> Impersonation means that the app runs with the permissions of the user
> being impersonated.
>
> What would be the use of it if the target user NEEDS to be admin?

Impersonator, i.e. caller, not target user.

This is so you can shed permissions (as a web app), but not gain them.  One
wouldn't want a local untrusted app being able to execute a dictionary
attack at high speed (or generating random authentication cookies to avoid
the audited call to LogonUser) until successful.

'nix has a similar concept, requiring wheel membership to su as root, even
with the password.

> I have several web apps that runs under this escenario and the users have
> no permissions at all in the server (just to an upload dir).
[quoted text clipped - 3 lines]
>> Can someone please describe why impersonation requires the impersonator
>> to be local admin?
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.