Vista / UAC

Jeffrey Altman jaltman at secure-endpoints.com
Mon Mar 5 09:11:32 EST 2007


Tim:

Thank you for confirming that you are seeing the expected behavior.

Jeffrey Altman


Tim Alsop wrote:
> Jeffrey,
>
> I wanted to update you on this, since you have been so helpful when we
> exchanged emails last week.
>
> We found that we were in fact using user accounts which were members of
> local administrator group when testing due to the fact that in Vista
> this can be configured in local user account configuration. We were
> removing Domain Admin group membership from the user in AD and thought
> this was enough, but it wasn't, so our tests were invalid. Somebody had
> added a configuration on our test machinse which made the test user a
> member of local administrator group regardless of their domain group
> membership :-).
>
> Now we have configured the permissions properly, when a user is not a
> member of local administrators group they can use our product which gets
> the session key from a service ticket. 
>
> I think you agree that the way this works is wrong, since a user who
> gets admin rights should get rights which are a superset of a standard
> user rights, but it seems that when somebody is given admininstrator
> group membership they gain access to admin functionality, but also loose
> the ability to access session keys in service tickets :-( This does not
> make sense to me. I don't know any administrator security model that
> works like this - normally making somebody an administrator does not
> remove any functionality that is given to a non-administrator.
>
> Thanks again,
> Tim
>
> -----Original Message-----
> From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] On Behalf
> Of Tim Alsop
> Sent: 01 March 2007 15:29
> To: jaltman at secure-endpoints.com
> Cc: krbdev at mit.edu
> Subject: RE: Vista / UAC
>
> Jeffrey,
>
> Thankyou for this. I am pleased this is possible, so we must need to
> change our code somehow to make it work better on Vista. At the moment
> it works well on all other version of XP, 2k etc. with MS LSA cache,
> even on x64 versions of Windows. 
>
> BTW. The issue I described is on Vista x64, so maybe the 64-bit
> involvement is opening up a bug in UAC ? We will check on regular x86
> Vista and see what happens, then look at MIT code to see how our code
> differs.
>
> Cheers,
> Tim 
>
> -----Original Message-----
> From: Jeffrey Altman [mailto:jaltman at secure-endpoints.com] 
> Sent: 01 March 2007 15:26
> To: Tim Alsop
> Cc: krbdev at mit.edu
> Subject: Re: Vista / UAC
>
> Tim Alsop wrote:
>> Jeffrey,
>>
>> Is UAC enabled on your Vista workstation ?
> Yes.  If I login with an account that is a member of the administrators
> group, UAC is triggered.
>> Perhaps we need to use a different LSA function to get the session
> key,
>> compared to how we do it in the code which works on XP ? Is the code
>> accessing session key the MIT kerberos library ? Also, I assume that
>> kermit is using the MIT gss on Windows to access credentials so there
> is
>> nothing in kermit which is special.
> Kermit is using the KFW GSS-API library using the MSLSA: ccache type.
>> Can you also confirm that you are using RC4 keys for service tickets ?
>> We are using RC4 session keys.
>>   
> This particular case is not using RC4-HMAC.  Not that it would make a
> difference.
>
> I can store arbitrary service tickets into the MSLSA: and read them back
> without issue.
>
> Jeffrey Altman
> Secure Endpoints Inc.
>
>
>
>
>
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20070305/a4f8dc0e/attachment.bin


More information about the krbdev mailing list