Security Basics mailing list archives
FW: "Trusted for Delegation" in W2k
From: "Darryl W. Malcolm" <DMalcolm () acuent com>
Date: Wed, 8 Jan 2003 11:08:02 -0500
-----Original Message----- From: Anthony Paulina Sent: Wednesday, January 08, 2003 11:00 AM To: Darryl W. Malcolm; Roy Gehrig Subject: RE: "Trusted for Delegation" in W2k Very Risky, Don't do it. That setting will allow all services that run under the LocalSystem account to communicate to remote computers. Without that setting, the only way a service can communicate directly to a remote computer is to change the service to run with a logged on user ID, commonly called a service account. From TechNet article <http://support.microsoft.com/default.aspx?scid=kb;en-us;325894#5> "Understanding Delegation Delegation is the act of allowing a service to impersonate a user account or a computer account to access resources throughout the network. In an N-tier program, the user authenticates to a middle-tier service. The middle-tier service authenticates to a back-end data server on behalf of the user. Delegation depends on the middle-tier service that is being trusted for delegation. If the server is set to Trusted for delegation, the service can impersonate a user to use other network services. For example, a user runs a Web program and that Web program uses several different SQL databases that exist on different servers. When the user authenticates to a server (the front-end server) that is trusted for delegation, the server can access the SQL database on the other servers as the user. Because the server that is trusted for delegation has the user's ticket-granting ticket (TGT), it can authenticate to any service on the network. As a result, this setting is not a secure setting. In the Windows .NET Server family, you can control the services that can impersonate the user by using constrained delegation." Anthony Paulina Acuent Inc 199 Cherry Hill Rd. Parsippany, NJ 07054 email: apaulina () acuent com Phone: (973)541-4285 Fax: (973)541-2540 -----Original Message----- From: Darryl W. Malcolm Sent: Wednesday, January 08, 2003 10:25 AM To: Roy Gehrig; Anthony Paulina Subject: FW: "Trusted for Delegation" in W2k -----Original Message----- From: Teodorski, Chris [mailto:cteodorski () ppg com] Sent: Monday, January 06, 2003 2:27 PM To: ' Subject: "Trusted for Delegation" in W2k Hello all, I have a Win2k Domain Controller and a Win2K web server.........if I trust the web server for delegation....what security issues will I be exposing myself to? Any advice, input would be appreciated. Thanks, Chris
Current thread:
- "Trusted for Delegation" in W2k Teodorski, Chris (Jan 06)
- <Possible follow-ups>
- FW: "Trusted for Delegation" in W2k Darryl W. Malcolm (Jan 11)