Impersonation/Delegation security considerations

Discussion in 'ASP .Net Security' started by Rich, Aug 25, 2003.

  1. Rich

    Rich Guest

    I'm having trouble finding specific documentation
    regarding the negative impact of using delegation in a
    Windows 2000 environment. I've read through numerous
    articles on using it, but if I do find anything that
    cautions the use of it, it reads like the following:

    Important:Delegation is a very powerful feature and is
    unconstrained on Windows 2000. It should be used with
    caution. Computers that are configured to support
    delegation should be under controlled access to prevent
    misuse of this feature.

    Our Network/Server side of the house does not want to
    implement delegation without knowing the immediate and
    potential security risks, and how to guard against them.
     
    Rich, Aug 25, 2003
    #1
    1. Advertising

  2. Rich

    Alek Davis Guest

    Hi Rich,

    Our AD/network guys illustrated a potential security issue using the
    following example. By the way, I assume that by delegation you mean passing
    user's credential from one machine to the other, which would allow a Web
    application running on machine A to connect to a SQL server running on
    machine B using integrated Windows authentication with credentials
    (actually, authentication token or Kerberos ticket) of a remote user
    accessing the site from machine C. Without delegation, a Web application can
    only pass user's credentials to a SQL Server running on the same machine.
    So, let's say that I am an internal hacker and I would like to connect to
    some secure database using credentials of the company's CEO (CIO, or
    whatever). If delegation is enabled on my network, what I can do is:

    (1) Create a fake internal Web site.
    (2) Send an HTML e-mail (or regular e-mail with a link) pointing to my fake
    Web site to the CEO (CIO, or whatever).
    (3) In the code-behind logic, use caller's credentials (Kerberos ticket) to
    connect to the database and do whatever I want on behalf of the user.

    The main danger in this scenario is that the user will never know what have
    happened. Without delegation, this risk is eliminated because my fake Web
    site would not be able to propagate user's credentials to the remote SQL
    Server unless I use basic authentication for the Web site, which is also a
    risk, but at least it will be visible to the user that some security-related
    operation is happening.

    Alek

    "Rich" <> wrote in message
    news:008601c36b20$50fc8dc0$...
    > I'm having trouble finding specific documentation
    > regarding the negative impact of using delegation in a
    > Windows 2000 environment. I've read through numerous
    > articles on using it, but if I do find anything that
    > cautions the use of it, it reads like the following:
    >
    > Important:Delegation is a very powerful feature and is
    > unconstrained on Windows 2000. It should be used with
    > caution. Computers that are configured to support
    > delegation should be under controlled access to prevent
    > misuse of this feature.
    >
    > Our Network/Server side of the house does not want to
    > implement delegation without knowing the immediate and
    > potential security risks, and how to guard against them.
     
    Alek Davis, Aug 26, 2003
    #2
    1. Advertising

  3. Rich

    Rich Guest

    Hi Alek,

    Your assumption and illustration of machines A, B, and C
    was 100% correct. Thank you very much for the internal
    security risk example. I will forward this info on to our
    network folks.

    >-----Original Message-----
    >Hi Rich,
    >
    >Our AD/network guys illustrated a potential security

    issue using the
    >following example. By the way, I assume that by

    delegation you mean passing
    >user's credential from one machine to the other, which

    would allow a Web
    >application running on machine A to connect to a SQL

    server running on
    >machine B using integrated Windows authentication with

    credentials
    >(actually, authentication token or Kerberos ticket) of a

    remote user
    >accessing the site from machine C. Without delegation, a

    Web application can
    >only pass user's credentials to a SQL Server running on

    the same machine.
    >So, let's say that I am an internal hacker and I would

    like to connect to
    >some secure database using credentials of the company's

    CEO (CIO, or
    >whatever). If delegation is enabled on my network, what I

    can do is:
    >
    >(1) Create a fake internal Web site.
    >(2) Send an HTML e-mail (or regular e-mail with a link)

    pointing to my fake
    >Web site to the CEO (CIO, or whatever).
    >(3) In the code-behind logic, use caller's credentials

    (Kerberos ticket) to
    >connect to the database and do whatever I want on behalf

    of the user.
    >
    >The main danger in this scenario is that the user will

    never know what have
    >happened. Without delegation, this risk is eliminated

    because my fake Web
    >site would not be able to propagate user's credentials to

    the remote SQL
    >Server unless I use basic authentication for the Web

    site, which is also a
    >risk, but at least it will be visible to the user that

    some security-related
    >operation is happening.
    >
    >Alek
    >
    >"Rich" <> wrote in message
    >news:008601c36b20$50fc8dc0$...
    >> I'm having trouble finding specific documentation
    >> regarding the negative impact of using delegation in a
    >> Windows 2000 environment. I've read through numerous
    >> articles on using it, but if I do find anything that
    >> cautions the use of it, it reads like the following:
    >>
    >> Important:Delegation is a very powerful feature and is
    >> unconstrained on Windows 2000. It should be used with
    >> caution. Computers that are configured to support
    >> delegation should be under controlled access to prevent
    >> misuse of this feature.
    >>
    >> Our Network/Server side of the house does not want to
    >> implement delegation without knowing the immediate and
    >> potential security risks, and how to guard against them.

    >
    >
    >.
    >
     
    Rich, Aug 27, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kelly D. Jones

    Problem with impersonation and delegation

    Kelly D. Jones, Sep 4, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    1,832
  2. Jerry

    I/O and Security Considerations

    Jerry, Dec 22, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    344
    bruce barker
    Dec 22, 2004
  3. Mantorok

    Security Considerations

    Mantorok, Apr 13, 2006, in forum: ASP .Net
    Replies:
    0
    Views:
    344
    Mantorok
    Apr 13, 2006
  4. Sam Roberts
    Replies:
    4
    Views:
    322
    Sam Roberts
    May 7, 2008
  5. Sj Tib
    Replies:
    3
    Views:
    269
    Richard Conroy
    Sep 16, 2009
Loading...

Share This Page