Home   Index   About
Ultimate Pack


Custom Search
Impersonation

Impersonation is the ability of a thread to execute in a security context different from the that of the process that owns the thread. Typically, a thread in a server application impersonates a client. This allows the server thread to act on behalf of that client to access objects or validate access to its own objects. For example, when a client in a DDE conversation requests information from a DDE server, the server can impersonate the client so the system can verify that the client is allowed access to the information.

The Win32 API provides several ways for a thread to begin an impersonation:

  • A DDE server application can call the DdeImpersonateClient function to impersonate a client.

  • A named-pipe server can call the ImpersonateNamedPipeClient function.

  • You can call the ImpersonateLoggedOnUser function to impersonate the security context of a specifed user.

  • The ImpersonateSelf function enables a thread to generate a copy of its own access token. This is useful when an application needs to change the security context of a single thread. For example, sometimes only one thread of a process requires a special privilege.

  • You can call the SetThreadToken function to cause the target thread to run in the security context of a specified impersonation token.

In all these cases, the impersonating thread can revert to its own security context by calling the RevertToSelf function.

An RPC server can call the RpcImpersonateClient function to impersonate a client. The RPC server calls RpcRevertToSelf or RpcRevertToSelfEx to restore the security context defined for the server thread.

When a thread is impersonating a user, most actions by the thread are done in the security context of the thread's impersonation token rather than the primary token of the process that owns the thread. For example, an individual thread of a server process can impersonate a client to verify that the client is allowed to access a securable object. However, some actions are always done using the security context of the process. For example, if an impersonating thread calls the CreateProcess function, the new process inherits the primary token of the process rather than the impersonation token of the calling thread. Similarly, the system always uses the primary token of the process to validate actions requiring the SE_TCB_NAME privilege.

To create a new process that runs in the security context of an impersonated user, you can use the DuplicateTokenEx and CreateProcessAsUser functions. In a typical scenario, a server thread impersonates a client by calling one of the impersonation functions, such as the ImpersonateNamedPipeClient function. The impersonating thread then calls the OpenThreadToken function to get its own token, which is an impersonation token that has the security context of the client. The thread then calls DuplicateTokenEx to convert its impersonation token into a primary token. You can then pass this primary token in a call to CreateProcessAsUser. Note that a process created by this method may not have access to the network. This is because Windows NT authentication does not send a password from the client to the server, so the new process does not have the credentials to make a network connection to a third machine.

The LogonUser function provides another method for impersonating a user. If your process has the SE_TCB_NAME privilege, it can specify the authentication credentials of a user in a call to LogonUser. If the logon operation is successful, the function returns a primary access token that represents the specified user. You can use this primary token in a call to CreateProcessAsUser to create a process that runs in the security context of the user. Note that in this case, the new process would have access to the network because you supplied the password in the LogonUser call.

The SECURITY_IMPERSONATION_LEVEL enumeration defines four impersonation levels.

Impersonation Level
Meaning
SecurityAnonymous
Indicates the client does not want the server to obtain identification information about the client.
SecurityIdentification
Allows the server to obtain information about the client, such as security identifiers and privileges, without being able to impersonate the client. This is useful for servers that export their own objects, such as a database product that exports tables and views. Using the retrieved client security information, the server is able to make access-validation decisions for itself even though it is unable to use other services as the client.
SecurityImpersonation
Allows the server to impersonate the client's security context on its local system. The server cannot impersonate the client on remote systems.
SecurityDelegation
Windows NT security does not support this impersonation level.


Last news from Greatis Software

Nostalgia .Net     Nostalgia .Net     .Net is powerful, but not all-powerful, so sometimes we need to use Win32 API for our .Net applications. It's simple enough with Platform Invoke if you have Win32 skill, but we do not always have time to dig the ancient documentation, declare the special types that are compatible with Win32, find the values of the Win32's constants and so on. Nostalgia .Net offers several simple-to-use classes, and components that will allow you to forget about the headache of Win32 and just use the power of Win32 in your application the same way as you use the native. Net classes.  More »
Recommended software for developers

Ultimate Pack for Delphi and C++ Builder     Ultimate Pack     Component pack for Delphi and C++ Builder that contains runtime form designer, runtime object inspector, print suite and much more for the very special price.  More »
Form Designer .Net     Form Designer .Net     Unique runtime form design solution that allows to edit any form in .Net WinForms application at runtime with full source codes for only 300 euro!  More »
Print Suite .Net     Print Suite .Net     Print Suite .Net is a set of components for easy printing texts, images and grids from your WinForms applications. Full C# source codes are available  More »
Gradient Controls .Net     Gradient Controls .Net     Gradient Controls .Net offers controls with gradient background feature. Labels, panels and so on... Full C# source codes are available  More »
iGrid     Greatis iGrid     iGrid plots drawing grid right over your desktop, so you can use it everywhere, with any drawing application without any special plugins for different graphic editors.  More »


All the contacts and projects

Dmitry Vasiliev (just.dmitry)

Related Links

Software for Visual Studio .NET developers
Software for Delphi and C++ Builder developers
Software for Visual Basic 6 developers
Delphi Tips&Tricks
MegaDetailed.NET

More Online Helps

Win32 Programmer's Reference
Win32 Multimedia Programmer's Reference
OLE Programmer's Reference
Microsoft Windows Pen API Programmer's Reference
Microsoft Windows Sockets 2 Reference
Microsoft Windows Telephony API (TAPI) Programmer's Reference
Unix Manual Pages

Free Tech Secrets ;) Copyright © 2008-2012 Free Tech Secrets ;) greatis just4fun network just4fun