Impersonation
Impersonation is the ability of a thread to execute in a security context different from
the that of the process that owns the thread. Typically, a thread in a server
application impersonates a client. This allows the server thread to act on behalf
of that client to access objects or validate access to its own objects. For
example, when a client in a DDE conversation requests information from a DDE
server, the server can impersonate the client so the system can verify that the
client is allowed access to the information.
The Win32 API provides several ways for a thread to begin an impersonation:
- A DDE server application can call the DdeImpersonateClient function to impersonate a client.
- A named-pipe server can call the ImpersonateNamedPipeClient function.
- You can call the ImpersonateLoggedOnUser function to impersonate the security context of a specifed user.
- The ImpersonateSelf function enables a thread to generate a copy of its own access token. This is
useful when an application needs to change the security context of a single
thread. For example, sometimes only one thread of a process requires a special
privilege.
- You can call the SetThreadToken function to cause the target thread to run in the security context of a
specified impersonation token.
In all these cases, the impersonating thread can revert to its own security
context by calling the
RevertToSelf function.
An RPC server can call the
RpcImpersonateClient function to impersonate a client. The RPC server calls
RpcRevertToSelf or
RpcRevertToSelfEx to restore the security context defined for the server thread.
When a thread is impersonating a user, most actions by the thread are done in
the security context of the thread's impersonation token rather than the
primary token of the process that owns the thread. For example, an individual thread
of a server process can impersonate a client to verify that the client is
allowed to access a securable object. However, some actions are always done using
the security context of the process. For example, if an impersonating thread
calls the
CreateProcess function, the new process inherits the primary token of the process rather
than the impersonation token of the calling thread. Similarly, the system always
uses the primary token of the process to validate actions requiring the
SE_TCB_NAME privilege.
To create a new process that runs in the security context of an impersonated
user, you can use the
DuplicateTokenEx and
CreateProcessAsUser functions. In a typical scenario, a server thread impersonates a client by
calling one of the impersonation functions, such as the
ImpersonateNamedPipeClient function. The impersonating thread then calls the
OpenThreadToken function to get its own token, which is an impersonation token that has the
security context of the client. The thread then calls
DuplicateTokenEx to convert its impersonation token into a primary token. You can then pass
this primary token in a call to
CreateProcessAsUser. Note that a process created by this method may not have access to the
network. This is because Windows NT authentication does not send a password from the
client to the server, so the new process does not have the credentials to make
a network connection to a third machine.
The
LogonUser function provides another method for impersonating a user. If your process
has the SE_TCB_NAME privilege, it can specify the authentication credentials of a
user in a call to
LogonUser. If the logon operation is successful, the function returns a primary access
token that represents the specified user. You can use this primary token in a
call to
CreateProcessAsUser to create a process that runs in the security context of the user. Note that
in this case, the new process would have access to the network because you
supplied the password in the
LogonUser call.
The
SECURITY_IMPERSONATION_LEVEL enumeration defines four impersonation levels.
Impersonation Level
| Meaning
|
SecurityAnonymous
| Indicates the client does not want the server to obtain identification
information about the client.
|
SecurityIdentification
| Allows the server to obtain information about the client, such as security
identifiers and privileges, without being able to impersonate the client. This is
useful for servers that export their own objects, such as a database product
that exports tables and views. Using the retrieved client security information,
the server is able to make access-validation decisions for itself even though it
is unable to use other services as the client.
|
SecurityImpersonation
| Allows the server to impersonate the client's security context on its local
system. The server cannot impersonate the client on remote systems.
|
SecurityDelegation
| Windows NT security does not support this impersonation level.
|
- Software for developers
-
Delphi Components
.Net Components
Software for Android Developers
- More information resources
-
MegaDetailed.Net
Unix Manual Pages
Delphi Examples
- Databases for Amazon shops developers
-
Amazon Categories Database
Browse Nodes Database
