OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Rune Christensen 8397 (RCRUBICON.NO)
Date: Wed Jul 11 2001 - 13:34:12 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I guess I've confused my terms quite a lot. To sum up:

    What I've seen is that when adding the EVERYONE SID in the list (ACL?) for
    default DCOM access rights, it does not seem like the system logon session
    gets access as supposed - I have to add the SYSTEM SID explicitely.

    E.g: When client holds interface to server the server pings back. It seems
    like this ping, which I presume is done from system logon session, is
    refused and then fails. Stub on server side gets unloaded after the 6-minute
    time-out.

    I'm not shure the problem was the missing SYSTEM SID, but by adding it to
    default DCOM access rights on client side the problem disappeared. (However,
    the problem did not re-appear when removing the SYSTEM SID again... I'm
    positive I did not do any other changes during this test.

    So I guess my assumption is (hoping I use the correct terms):
    In special circumstances, the system logon session access token contains SID
    for SYSTEM but not for EVERYONE.

    Is it possible to test what SIDs an access token can use?

    Regards,
    Rune Christensen

    -----Original Message-----
    From: Brown, Keith [mailto:KBrownDEVELOP.COM]
    Sent: 11. juli 2001 19:54
    To: DCOMDISCUSS.MICROSOFT.COM
    Subject: Re: System account part of Everyone group

    >>Interestingly Rune doesn't ask about the SYSTEM logon session's token,
    but about the "account".<<

    There is no such thing as the SYSTEM "account". There is no account for
    SYSTEM. SYSTEM is simply the name of the bootstrap logon session for the
    OS (look in winnt.h, you'll see the logon session ID is hardcoded as
    SYSTEM_LUID, or 999).

    >>If I include the SYSTEM SID in a token that I manufacture,<<

    How would you manufacture a token (using documented APIs)? Perhaps by
    calling LsaLogonUser? In this case, Windows will place the Everyone SID
    in the token for you.

    Keith

    ----------------------------------------------------------------
    Users Guide http://msdn.microsoft.com/workshop/essentials/mail.asp
    contains important info. Save time, search the archives at
    http://discuss.microsoft.com/archives/index.html .
    To unsubscribe, mailto:DCOM-signoff-requestDISCUSS.MICROSOFT.COM

    ----------------------------------------------------------------
    Users Guide http://msdn.microsoft.com/workshop/essentials/mail.asp
    contains important info. Save time, search the archives at
    http://discuss.microsoft.com/archives/index.html .
    To unsubscribe, mailto:DCOM-signoff-requestDISCUSS.MICROSOFT.COM