Impersonation APIs

Impersonation APIs

If a call to an impersonation function fails for any reason, the client is not impersonated and the client request is made in the security context of the process from which the call was made. If the process is running as a highly privileged account, such as SYSTEM, or as a member of an administrative group, the user might be able to perform actions he would otherwise be disallowed. Therefore, it's important that you always check the return value of the call. If it fails to raise an error, do not continue execution of the client request. Impersonation functions include RpcImpersonateClient, ImpersonateLogged On User, CoImpersonateClient, ImpersonateNamedPipeClient, ImpersonateDdeClientWindow, ImpersonateSecurityContext, ImpersonateAnonymousToken, ImpersonateSelf, and SetThreadToken.

Also, in Microsoft Windows .NET Server 2003, impersonation is a privilege and is not granted to everyone. This increases the chance your code may not successfully impersonate an account. Impersonation works in Windows .NET Server 2003 if one or more of the following conditions are true:

• The requested impersonation level is less than impersonate (that is, anonymous or identify level, which should always succeed).

• The process token has SeImpersonatePrivilege.

• This process (or another process in this logon session) created the token via LogonUser with explicit credentials.

• This token is for the current application user.

• The application is a COM or COM+ server started via COM activation services, because the Service SID is added to the application's primary token by COM. This does not include COM applications started as Activate as Activator.

SetSecurityDescriptorDacl( , ,NULL, )

Creating security descriptors that have a NULL DACL that is, pDacl, the third argument, is NULL is highly discouraged. Such a DACL offers no security for the object. Indeed, an attacker can set an Everyone (Deny All Access) ACE on the object, thereby denying everyone, including administrators, access to the object. A NULL DACL offers absolutely no protection from attack.