Question about handles when doing impersonation.

[Ken Varn]

I am using WindowsIdentity.Impersonate() to impersonate using a logon token
acquired from the Win32 LogonUser account.

I was wondering if it is safe to close the LogonUser handle passed to the
WindowsIdentity constructor while the WindowsIdentity object is still in
use, or does the WindowsIdentity object close it when it is destroyed. I am
not quite sure what is done behind the scenes by the WindowsIdentity class
in this respect.





--
-----------------------------------
Ken Varn
Senior Software Engineer
Diebold Inc.

EmailID = varnk
Domain = Diebold.com
-----------------------------------

 

[Dominick Baier [DevelopMentor]]

Hello Ken,

internally WindowsIdentity uses the SafeTokenHandle class to close the handle

the cleanest approach is:

using (WindowsIdentity id = new WindowsIdentity(token))
using (WindowsImpersonationContext wic = id.Impersonate())
{
try
{}
catch
{
// in this scenario catching the exception is extemely important - because
of ExceptionFilter vulnerabilty
}
}

 

[Ken Varn]

Does WindowsIdentity duplicate the handle on construction? I am basically
wondering if I should close the handle that I passed into the
WindowsIdentity constructor after I create the WindowsIdentity object.

--
-----------------------------------
Ken Varn
Senior Software Engineer
Diebold Inc.

EmailID = varnk
Domain = Diebold.com

 

[Dominick Baier [DevelopMentor]]

Hello Ken,

the handle is duplicated in the ctor of WindowsIdentity - that means you
should manually close it by calling win32 CloseHandle.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Does WindowsIdentity duplicate the handle on construction? I am
basically wondering if I should close the handle that I passed into
the WindowsIdentity constructor after I create the WindowsIdentity
object.

EmailID = varnk
Domain = Diebold.com
-----------------------------------
"Dominick Baier [DevelopMentor]"
<[email protected]>
wrote in message

Hello Ken,

internally WindowsIdentity uses the SafeTokenHandle class to close
the
handle

the cleanest approach is:

using (WindowsIdentity id = new WindowsIdentity(token))
using (WindowsImpersonationContext wic = id.Impersonate())
{
try
{}
catch
{
// in this scenario catching the exception is extemely important - because

of ExceptionFilter vulnerabilty
}
}

 

[Joe Kaplan \(MVP - ADSI\)]

Doesn't this depend on your .NET version as well? From what I can tell, in
1.x, WindowsIdentity has a finalizer (but no IDisposable implementation,
which is really weird) which does essentially this:

~WindowsIdentity()
{
if (this.m_userToken != WindowsIdentity.ZeroHandle)
{
WindowsIdentity._CloseHandle(this.m_userToken);
this.m_userToken = WindowsIdentity.ZeroHandle;
}
}There is also a method called by the constructor that takes an IntPtr that
looks like this:

private void CreateFromToken(IntPtr userToken, string type, bool bClose)
{
this.m_type = type;
if (userToken == WindowsIdentity.ZeroHandle)
{
throw new
ArgumentException(Environment.GetResourceString("Argument_TokenZero"));
}
this.m_userToken = WindowsIdentity._DuplicateHandle(userToken,
bClose);
if (this.m_userToken == WindowsIdentity.ZeroHandle)
{
throw new
ArgumentException(Environment.GetResourceString("Argument_InvalidToken"));
}
}As such, it *appears* that WindowsIdentity duplicates the token handle for
you and its finalizer closes that. As such, closing the handle returned
from LogonUser would be a good idea. It would also appear that you can do
that right after the WindowsIdentity is created since it makes its own copy.

I'm not really sure about that though. Anyone else?

Joe K.

 

[Dominick Baier [DevelopMentor]]

Hello Joe,

oops - yeah i looked at the source of 2.0

but in both versions they duplicate the handle - so it is safe and recommended
to close the handle directly after you passed it in the ctor of WindowsIdentity.

the big difference between both implementations is (besides many other features)
that the 2.0 version uses a SafeHandle internally to store the win32 handle.
SafeHandles are a new feature in 2.0 - they ensure proper cleanup (by using
critical finalization) and prevent handle recycling attacks.

 

[Ken Varn]

Thanks! That is what I wanted to confirm.

--
-----------------------------------
Ken Varn
Senior Software Engineer
Diebold Inc.

EmailID = varnk
Domain = Diebold.com
-----------------------------------

Hello Ken,

the handle is duplicated in the ctor of WindowsIdentity - that means you
should manually close it by calling win32 CloseHandle.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Does WindowsIdentity duplicate the handle on construction? I am
basically wondering if I should close the handle that I passed into
the WindowsIdentity constructor after I create the WindowsIdentity
object.

EmailID = varnk
Domain = Diebold.com
-----------------------------------
"Dominick Baier [DevelopMentor]"
<[email protected]>
wrote in message

Hello Ken,

internally WindowsIdentity uses the SafeTokenHandle class to close
the
handle

the cleanest approach is:

using (WindowsIdentity id = new WindowsIdentity(token))
using (WindowsImpersonationContext wic = id.Impersonate())
{
try
{}
catch
{
// in this scenario catching the exception is extemely important - because

of ExceptionFilter vulnerabilty
}
}
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
I am using WindowsIdentity.Impersonate() to impersonate using a
logon token acquired from the Win32 LogonUser account.

I was wondering if it is safe to close the LogonUser handle passed
to the WindowsIdentity constructor while the WindowsIdentity object
is still in use, or does the WindowsIdentity object close it when it
is destroyed. I am not quite sure what is done behind the scenes by
the WindowsIdentity class in this respect.

EmailID = varnk
Domain = Diebold.com
-----------------------------------