Why is "Act as part of the operating system" dangerous?

A

Arturo

Hello everybody:

I have a question: Why is "Act as part of the operating system"
dangerous? I have an application that will go live on Windows 2000,
and it impersonates a user; I have to enable it (it copies some files
in the server and creates a new IIS application on the server. That's
why it needs to impersonate a user) I am using LogonUser.

Thanks!

Arturo
 
J

Joe Kaplan \(MVP - ADSI\)

Act as Part of the Operating System allows the account to do stuff directly
in kernel mode, bypassing the entire Windows security system if it wants to.
Essentially, the account is equivalent to SYSTEM.

Does that answer the question adequately?

Did you consider the possibility of factoring out this code into a seperate
component that could run under COM+ so that you could specify a particular
identity to run as? That would be much more secure? Alternately, moving to
2003 server fixes this problem as well.

Joe K.
 
A

Arturo

Act as Part of the Operating System allows the account to do stuff directly
in kernel mode, bypassing the entire Windows security system if it wants to.
Essentially, the account is equivalent to SYSTEM.

Thanks, Joe. I think I will create a console application and call it.
That's the easyest solution so far. Thanks!

Arturo
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top