Click here to get back home

Logging, Login API and SSPI
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Logging, Login API and SSPI James V 01-24-2007
Posted by James V on January 24, 2007, 4:31 pm
Please log in for more thread options
Hi,

I am trying to add logging capabilities to a Windows(2000/XP/2003)
application that can run under any user context(not neceseraly a member of
admin).

The problem is that every time a diffrent user will run the application, the
log files would be created/written under his credentials.

Some users can have limited permissions and not allowed to access various
parts of the file system.
Further more, if a limited user created/written a/to file he has permissions
to view and change it and
I do not want limited users to be able to view modify the log files.

If I create the files with admin privilages, limited users will not be able
to write/modify them.

I could create a logging service that uses IPC to connect to the server
application and manage the loging for it, but it seems like an overkill.

I considered using a special user account that would be impersonated by our
application(using login API and SSPI ) and would do the actual log file
manipulation, but the problem is that login API and SSPI can require
certain privilged user permissions (SE_TCB_NAME ) for the impersonation to
work properly (The impersonation level does not allow resource access).

Is there any way around the login API and SSPI limitations?
Is there any way to set application level(not user level) permissions ->
allow only a certain application to write to a file?

Any ideas comments would be appreciated.

Thank you,

James













Posted by Ben Voigt on January 24, 2007, 7:33 pm
Please log in for more thread options
>
> Hi,
>
> I am trying to add logging capabilities to a Windows(2000/XP/2003)
> application that can run under any user context(not neceseraly a member of
> admin).
>
> The problem is that every time a diffrent user will run the application,
> the log files would be created/written under his credentials.
>
> Some users can have limited permissions and not allowed to access various
> parts of the file system.
> Further more, if a limited user created/written a/to file he has
> permissions to view and change it and
> I do not want limited users to be able to view modify the log files.
>
> If I create the files with admin privilages, limited users will not be
> able to write/modify them.
>
> I could create a logging service that uses IPC to connect to the server
> application and manage the loging for it, but it seems like an overkill.
>
> I considered using a special user account that would be impersonated by
> our application(using login API and SSPI ) and would do the actual log
> file manipulation, but the problem is that login API and SSPI can require
> certain privilged user permissions (SE_TCB_NAME ) for the impersonation to
> work properly (The impersonation level does not allow resource access).
>
> Is there any way around the login API and SSPI limitations?
> Is there any way to set application level(not user level) permissions ->
> allow only a certain application to write to a file?

This would probably be possible with a device driver, which can then use the
process handle of the caller to checksum the executable and all libraries
and make sure they haven't been tampered with. Otherwise, the user will be
able to at least send arbitrary log messages.

Also, the user will always be able to view his own log messages, because the
process is running as his user account, he can read its memory, by calling
CreateProcess to start the process and get a full access handle to it, and
then ReadProcessMemory.

>
> Any ideas comments would be appreciated.
>
> Thank you,
>
> James
>
>
>
>
>
>
>
>
>
>
>
>



Posted by James V on January 25, 2007, 8:06 am
Please log in for more thread options

Hi Ben,

Thank you for your answer.

I guess I won't take that path.

But I believe that if application level permissions were to be incorporated
into the operating system, such a mechanism could be made to be safe.
Because for example, such a mechanism would not allow a non admin or
application owner to manipulate a process by means of ReadProcessMemory etc.



>
>>
>> Hi,
>>
>> I am trying to add logging capabilities to a Windows(2000/XP/2003)
>> application that can run under any user context(not neceseraly a member
>> of admin).
>>
>> The problem is that every time a diffrent user will run the application,
>> the log files would be created/written under his credentials.
>>
>> Some users can have limited permissions and not allowed to access various
>> parts of the file system.
>> Further more, if a limited user created/written a/to file he has
>> permissions to view and change it and
>> I do not want limited users to be able to view modify the log files.
>>
>> If I create the files with admin privilages, limited users will not be
>> able to write/modify them.
>>
>> I could create a logging service that uses IPC to connect to the server
>> application and manage the loging for it, but it seems like an overkill.
>>
>> I considered using a special user account that would be impersonated by
>> our application(using login API and SSPI ) and would do the actual log
>> file manipulation, but the problem is that login API and SSPI can
>> require certain privilged user permissions (SE_TCB_NAME ) for the
>> impersonation to work properly (The impersonation level does not allow
>> resource access).
>>
>> Is there any way around the login API and SSPI limitations?
>> Is there any way to set application level(not user level) permissions ->
>> allow only a certain application to write to a file?
>
> This would probably be possible with a device driver, which can then use
> the process handle of the caller to checksum the executable and all
> libraries and make sure they haven't been tampered with. Otherwise, the
> user will be able to at least send arbitrary log messages.
>
> Also, the user will always be able to view his own log messages, because
> the process is running as his user account, he can read its memory, by
> calling CreateProcess to start the process and get a full access handle to
> it, and then ReadProcessMemory.
>
>>
>> Any ideas comments would be appreciated.
>>
>> Thank you,
>>
>> James
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>



Posted by Eugene Gershnik on January 25, 2007, 3:37 am
Please log in for more thread options
James V wrote:
> Hi,
>
> I am trying to add logging capabilities to a Windows(2000/XP/2003)
> application that can run under any user context(not neceseraly a
> member of admin).
>
> The problem is that every time a diffrent user will run the
> application, the log files would be created/written under his
> credentials.

Ok.

> Some users can have limited permissions and not allowed to access
> various parts of the file system.
> Further more, if a limited user created/written a/to file he has
> permissions to view and change it and
> I do not want limited users to be able to view modify the log files.

What is the problem? Write a separate log file for each user under
CSIDL_LOCAL_APPDATA.


--
Eugene
http://www.gershnik.com




Posted by James V on January 25, 2007, 8:34 am
Please log in for more thread options

Hi Eugene,
Thank you for your comment.

There are a couple of problems with writing logs to CSIDL_LOCAL_APPDATA .
1. The user would have access to them.
2. The log files would be all over the place instead of in one centralized
location.

> James V wrote:
>> Hi,
>>
>> I am trying to add logging capabilities to a Windows(2000/XP/2003)
>> application that can run under any user context(not neceseraly a
>> member of admin).
>>
>> The problem is that every time a diffrent user will run the
>> application, the log files would be created/written under his
>> credentials.
>
> Ok.
>
>> Some users can have limited permissions and not allowed to access
>> various parts of the file system.
>> Further more, if a limited user created/written a/to file he has
>> permissions to view and change it and
>> I do not want limited users to be able to view modify the log files.
>
> What is the problem? Write a separate log file for each user under
> CSIDL_LOCAL_APPDATA.
>
>
> --
> Eugene
> http://www.gershnik.com
>
>
>



Similar ThreadsPosted
Login Script Question - Failed Login Count, Location, and Method October 5, 2005, 6:28 pm
Can anyone get me out of SSPI / Kerberos / NTLM hell ??? December 7, 2005, 8:56 am
SPNEGO / SSPI / SSO / GSSAPI Questions September 12, 2006, 11:11 am
Group SIDs from SSPI token on Windows CE July 14, 2005, 5:39 pm
INTERACTIVE group missing after SSPI auth October 28, 2005, 12:54 pm
INTERACTIVE group missing after SSPI auth November 2, 2005, 3:16 pm
Logging Access July 11, 2008, 1:26 pm
Problems logging to server December 21, 2005, 1:07 pm
guest account logging January 29, 2007, 1:09 pm
RRAS SQL Server Logging October 23, 2007, 7:54 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap