Vista / UAC

Tim Alsop Tim.Alsop at CyberSafe.Com
Mon Mar 5 05:13:55 EST 2007 

Jeffrey,

I wanted to update you on this, since you have been so helpful when we
exchanged emails last week.

We found that we were in fact using user accounts which were members of
local administrator group when testing due to the fact that in Vista
this can be configured in local user account configuration. We were
removing Domain Admin group membership from the user in AD and thought
this was enough, but it wasn't, so our tests were invalid. Somebody had
added a configuration on our test machinse which made the test user a
member of local administrator group regardless of their domain group
membership :-).

Now we have configured the permissions properly, when a user is not a
member of local administrators group they can use our product which gets
the session key from a service ticket. 

I think you agree that the way this works is wrong, since a user who
gets admin rights should get rights which are a superset of a standard
user rights, but it seems that when somebody is given admininstrator
group membership they gain access to admin functionality, but also loose
the ability to access session keys in service tickets :-( This does not
make sense to me. I don't know any administrator security model that
works like this - normally making somebody an administrator does not
remove any functionality that is given to a non-administrator.

Thanks again,
Tim

-----Original Message-----
From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] On Behalf
Of Tim Alsop
Sent: 01 March 2007 15:29
To: jaltman at secure-endpoints.com
Cc: krbdev at mit.edu
Subject: RE: Vista / UAC

Jeffrey,

Thankyou for this. I am pleased this is possible, so we must need to
change our code somehow to make it work better on Vista. At the moment
it works well on all other version of XP, 2k etc. with MS LSA cache,
even on x64 versions of Windows. 

BTW. The issue I described is on Vista x64, so maybe the 64-bit
involvement is opening up a bug in UAC ? We will check on regular x86
Vista and see what happens, then look at MIT code to see how our code
differs.

Cheers,
Tim 

-----Original Message-----
From: Jeffrey Altman [mailto:jaltman at secure-endpoints.com] 
Sent: 01 March 2007 15:26
To: Tim Alsop
Cc: krbdev at mit.edu
Subject: Re: Vista / UAC

Tim Alsop wrote:
> Jeffrey,
>
> Is UAC enabled on your Vista workstation ?
Yes.  If I login with an account that is a member of the administrators
group, UAC is triggered.
> Perhaps we need to use a different LSA function to get the session
key,
> compared to how we do it in the code which works on XP ? Is the code
> accessing session key the MIT kerberos library ? Also, I assume that
> kermit is using the MIT gss on Windows to access credentials so there
is
> nothing in kermit which is special.
Kermit is using the KFW GSS-API library using the MSLSA: ccache type.
> Can you also confirm that you are using RC4 keys for service tickets ?
> We are using RC4 session keys.
>   
This particular case is not using RC4-HMAC.  Not that it would make a
difference.

I can store arbitrary service tickets into the MSLSA: and read them back
without issue.

Jeffrey Altman
Secure Endpoints Inc.





_______________________________________________
krbdev mailing list             krbdev at mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

More information about the krbdev mailing list