Solved

How to impersonate a user?

Posted on 2001-06-14
12
1,105 Views
Last Modified: 2012-06-22
Hi,
I need to make an application, which would run in the context of a user, whose credentials (username & pass) would be hardcoded in the app. All this work should be done on Win NT.

I tried logonuser () function, but it needs "Act as a part of operating system" right for the user executing the app. The app will be launched by common users and I don't want to assign them this strong right.

Any idea is good.

0
Comment
Question by:untaker
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 1

Expert Comment

by:Kristian
Comment Utility
i think i might have an idea for you, this is not exactly what you want but it might give you some ideas...

the other day i was writing some service apps and service apps all have to run in default user, this means than it is running in a different user profile to the one logged on at the time...

to create the service in the default users profile area ( which is unobtainable by the normal users ) i had to create a registry set of my details for delphi, and then run a task which opened up a dos window ( the run schedule runs tasks in default memory area ) the dos window is then useing a different user to the main user ( NT is quite strict i beleave about users etc).
this meant that i could do work in the default users area , then i had to copy the registry settings i had to this area ( as they are different) and run delphi from this area, this meant that all code was compiled into the defaut users service area.
then log back on to normal user, the service is there running and safe and users cannot do anything to it as its not under there security whatever....

this is only basicly what i did, but the idea ETC came from a delphi mag a couple of months ago.

i know that it wasnt what you wanted but maybe if you cant do what you want maybe you could use a similar method as i did. if you want i will look up the issue number ETC and forward it on..

kris.
0
 

Expert Comment

by:DangerousJohn
Comment Utility
My approach to this would be to have your application in two parts.  The first is an NT Service that you can have started automatically as your pre-defined user with 'Run as part of system' right granted.  Then have a client utility that your users can use to invoke/query whatever your service is doing.  For this to work you need to get into IPC (Inter process communication).

Alternatlivly, (and this is much easier), use the RunAs command line tool(Win2000 only).  To run your app under the guise of a different user than the current logged in user.  If you dont want your users to see the "Runas Admin Password Program.exe" in a batch file, you'll need a starter application with the command line hard coded.

John.
0
 

Author Comment

by:untaker
Comment Utility
>John

Non of your suggestions are good for me.

1. Systems are WinNT 4.0, so runas is of no use
2. I have many clients. I don't want to go to each of them and install a service at their comps. I just want to make an .exe, which i'll put into their logon scripts.
0
 
LVL 1

Expert Comment

by:bnemmers
Comment Utility
Hi,

The SE_TCB_NAME privilege must be assigned to the user that is login to the NT box when they run the application you are writing.
However by assigning this right to a user, it opens a huge security hole and should not be granted. If you assign the right to all users, the call to LogonUser should work.

The best approach is to create a NT service program and let it logon using the local system account. This account has SE_TCB_NAME privilege by default and can do all of the action that you require.

You could install the service program when you install the desktop application.

Also you might reconsider not to hardcode the user credentials. If they decide to change the domain policies or whatever, then you might have to recompile every 45 days to change the user password. The best approach would to encrypt this info in to the registry and provide some dialog to change the account info.

Remark:
"The process that calls LogonUser must have the SE_TCB_NAME privilege. The privilege does not need to be enabled. The LogonUser function enables the privilege as necessary. The function fails if the calling process does not have the SE_TCB_NAME privilege, and GetLastError returns the error code ERROR_PRIVILEGE_NOT_HELD. For more information about privileges, see Privileges."

Regards
Bill.
0
 

Author Comment

by:untaker
Comment Utility
>bnemmers

Sorry, but everything you said had already been written here. In my question I said that I know about the SE_TCB_NAME limitation, and in my comment I said that I don't want to install a service on comps. I just want a one-time-used program, that makes some changes that require administrator privileges, and it will be run from a logonscript.

There must be a way, because there exists a ResKit utility su.exe, that can start a program under different user's credentials.
0
 
LVL 1

Expert Comment

by:Kristian
Comment Utility
have you thought about taking a step back and having a maintenance program of your own that controls your privilages in your software, and have the userlogin name as your operator, then depending on what user is logged in just use those privivales, obviosly keeping the privilages program away from general eyes.
it is a simple approach but if written correctly could be as secure as you want it to be...
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:untaker
Comment Utility
>Kristian

I don't understand very much what you wanted to say...
Please try it again and a little bit easier.. :-))
0
 
LVL 1

Accepted Solution

by:
bnemmers earned 200 total points
Comment Utility
Take a look at the document from Micro$oft. It out lines the only two methods to use

http://support.microsoft.com/support/kb/articles/Q180/5/48.ASP

LogonUser or
Security Support Provider Interface (SSPI)

I never tried SSPI and I don't know if it will provide the acces you need

Also su.exe ver 2.0 required that the user have these rights
   Act as part of the operating system
   Increase Quotas
   Replace a process level token
   Restore files and directories

For Version 2.99, these privileges are no longer required when using SU. In order to support this, you must install a new service-based component used by SU. The service component is encapsulated in the Suss.exe executable file, and this is installed by using the following command at a command prompt:
suss.exe -install

Regards
Bill.
0
 
LVL 1

Expert Comment

by:Kristian
Comment Utility
ok,

well if you create a maintenace program that has a list of your users in
IE
KRITSIAN
UNTAKER

then have a table of privilages available
IE

Access to program 1 section A
  "     "    "    1 Section B
  "     "    "    2 Section A
ETC

then have a bit that allows you to say that
kristian has access to program 1 section A + B
and UNTAKER has access to program 1 sect' A + prog 2 sect A
ETC

then in your program check the current operator and see if (s)he has access to the section you are about to enter.
if not then dont let them...

kris
0
 
LVL 1

Expert Comment

by:Kristian
Comment Utility
just in case untaker im off for 6 days (i cant believe it) now so im affraid i wont know if i was any help to you or not but i will now be un-obtainable so good luck, hope the Previous comment made sence, kris.
0
 
LVL 1

Expert Comment

by:Moondancer
Comment Utility
ADMINISTRATION WILL BE CONTACTING YOU SHORTLY.  Moderators Computer101 or Netminder will return to finalize these if still open in seven days.  Please post closing recommendations before that time.

Question(s) below appears to have been abandoned. Your options are:
 
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you, but may help others. You must tell the participants why you wish to do this, and allow for Expert response.  This choice will include a refund to you, and will move this question to our PAQ (Previously Asked Question) database.  If you found information outside this question thread, please add it.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question (if it has no potential value for others).
   --> Post comments for expert of your intention to delete and why
   --> YOU CANNOT DELETE A QUESTION with comments; special handling by a Moderator is required.

For special handling needs, please post a zero point question in the link below and include the URL (question QID/link) that it regards with details.
http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
 
Please click the Help Desk link on the left for Member Guidelines, Member Agreement and the Question/Answer process for further information, if needed.  http://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp

Click you Member Profile to view your question history and keep them all current with updates as the collaboration effort continues, to track all your open and locked questions at this site.  If you are an EE KnowledgePro user, use the Power Search option to find them.  Anytime you have questions which are LOCKED with a Proposed Answer but does not serve your needs, please reject it and add comments as to why.  In addition, when you do grade the question, if the grade is less than an A, please add a comment as to why.  This helps all involved, as well as future persons who may access this item in the future to seek help.

To view your open questions, please click the following link(s) and keep them all current with updates.
http://www.experts-exchange.com/questions/Q.20109915.html
http://www.experts-exchange.com/questions/Q.20135249.html




**** PLEASE DO NOT AWARD THE POINTS TO ME. *****
 
------------>  EXPERTS:  Please leave your closing recommendations if this item remains inactive another seven (7) days.  If you are interested in the cleanup effort, please click this link http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=commspt&qid=20274643
POINTS FOR EXPERTS awaiting comments are listed here -> http://www.experts-exchange.com/commspt/Q.20277028.html
 

Moderators will finalize this question if still open in 7 days, by either moving this to the PAQ (Previously Asked Questions) at zero points, deleting it or awarding expert(s) when recommendations are made, or an independent determination can be made.  Expert input is always appreciated to determine the fair outcome.
 
Thank you everyone.
 
Moondancer
Moderator @ Experts Exchange
0
 
LVL 1

Expert Comment

by:Moondancer
Comment Utility
Zero response, finalized.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Objective: - This article will help user in how to convert their numeric value become words. How to use 1. You can copy this code in your Unit as function 2. than you can perform your function by type this code The Code   (CODE) The Im…
Creating an auto free TStringList The TStringList is a basic and frequently used object in Delphi. On many occasions, you may want to create a temporary list, process some items in the list and be done with the list. In such cases, you have to…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now