Impersonate Client After Authentication

Would somebody be able to give me a good definition of what this user right means and how it would be used? I noticed that Administrators and SERVICE have this right by default.

Find more posts tagged with

Comments

sprkymrk

http://support.microsoft.com/kb/821546

When you assign the "Impersonate a client after authentication" user right to a user, you permit programs that run on behalf of that user to impersonate a client. This security setting helps to prevent unauthorized servers from impersonating clients that connect to it through methods such as remote procedure calls (RPC) or named pipes.

gojericho0

Hi sprkymrk I read that definition before I posted my question, but am still confused as to the function and benefit. Maybe you can clarify for me?

I log into a workstation and attempt to run a client\server app. The RPC service is run by the NETWORK SERVICE account. If the client process authenticates to a server process across the network, would the client process use my credentials for authentication?

sprkymrk

Hi gojericho0. You know what, there really isn't a whole lot of clarification out there or in any of the several Windows security books I have. But I guess you already knew that, which is why you asked here...

I did find a newer link here:

http://technet2.microsoft.com/windowsserver/en/library/fe1fb475-4bc8-484b-9828-a096262b54ca1033.mspx?mfr=true

Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels.

So I know that is still not entirely clear. I'll confess I thought I knew what it meant until I tried to answer your question. So before I give you wrong information I am going to do a little research because you've got me curious.

gojericho0

Thanks, I have been tasked with disabling any unnecessary services running on our workstation\servers as well as making sure any services aren't running with accounts that have more rights than necessary e.g. domain admins.

I am currently using http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/default.mspx as a resource, but also notice that some of these service accounts have the Impersonate a client after authentication right which kind of threw me for a loop as what its purpose is and when it is necessary.