This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
SECURITY_IMPERSONATION_LEVEL
SECURITY_IMPERSONATION_LEVEL

Version management

Difference between version and

At line 1 added 43 lines
!!! Overview
A server application may need to present a client's identity to resources it accesses on the client's behalf, usually to cause access checks or authentication to be performed against the client's identity. To a certain extent, the server can act under the client's identity—an action referred to as impersonating the client.
[Impersonation] is the ability of a thread to execute in a security context different from that of the process owning the thread. The server thread uses an [Access Token] representing the client's [credentials], and with this, it can access [resources] that the [client] can access.
Using [impersonation] ensures that the server can do precisely what the client can do. Access to [resources] may be either restricted or expanded, depending on what the client has [permission] to do.
You might choose to have a server [impersonate|Impersonation] a client when connecting to a database so that the database can authenticate and authorize the client for itself. Or, if your [application] accesses files that are protected with a [Security Descriptor] and to enable the client to obtain authorized access to information in these files, the [application] can impersonate the client before accessing the files
If [impersonation] succeeds, it means that the client has agreed to let the server impersonate the client to some degree. The varying degrees of impersonation are called [{$pagename}], and they indicate how much authority is given to the server when it is impersonating the client.
Currently, there are four [{$pagename}] briefly describes each [impersonation] level:
!! [anonymous] (RPC_C_IMP_LEVEL_ANONYMOUS)
The [client] is [anonymous] to the [server]. The server process can impersonate the client, but the [Impersonation Token] does not contain any information about the client. This level is only supported over the local [Inter-Process Communication] transport. All other transports silently promote this level to [Identification]. (displayed as "[Impersonation]" with [Windows Event Log])
!! [Identification] (RPC_C_IMP_LEVEL_IDENTIFY)
The system default level. The [server] can obtain the client's [identity|Digital Identity] and [privileges] of the [client], but cannot perform [Impersonation] the client. (displayed as "[Identification]" with [Windows Event Log])
!! [Impersonation] (RPC_C_IMP_LEVEL_IMPERSONATE)
The server can impersonate the client's security context while acting on behalf of the client. The server can access local resources as the client. If the server is local, it can access network resources as the client. If the server is remote, it can access only resources that are on the same computer as the server.
!! [Delegation] (RPC_C_IMP_LEVEL_DELEGATE)
The most powerful [{$pagename}]. When this level is selected, the [server] (whether local or remote) can impersonate the client's security [context] while acting on behalf of the client. During [impersonation], the client's [credentials] (both local and network) can be passed to any number of computers. (displayed as "[Delegation]" with [Windows Event Log])
For [{$pagename}] at the [delegation] level, the following requirements must be met:
* The [client] must set the [{$pagename}] to RPC_C_IMP_LEVEL_DELEGATE.
* The [client] account must not be marked "Account is sensitive and cannot be delegated" in the [Microsoft Active Directory].
* The [server] account must be marked with the "[Trusted for delegation|TRUSTED_FOR_DELEGATION]" attribute in the [Microsoft Active Directory].
* The computers hosting the [client], the [server], and any "downstream" servers must all be in an [AD DOMAIN].
By choosing the [{$pagename}], the client tells the server how far it can go in impersonating the client. The client sets the [{$pagename}] on the proxy it uses to communicate with the server.!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Impersonation Levels (Authorization)|https://docs.microsoft.com/en-us/windows/win32/secauthz/impersonation-levels|target='_blank'] - based on information obtained 2020-04-20
* [#2] - [Impersonation Levels|https://docs.microsoft.com/en-us/windows/win32/com/impersonation-levels|target='_blank'] - based on information obtained 2020-05-28
* [#3] - [Client Impersonation and Delegation|https://docs.microsoft.com/en-us/windows/win32/cossdk/client-impersonation-and-delegation|target='_blank'] - based on information obtained 2020-05-28
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop