Re: Windows NT does not check permissions after HANDLEs are open

From: Thorat_private
Date: Thu Aug 30 2001 - 06:39:33 PDT

  • Next message: Hicks, John: "RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"

    >permissions. Therefore, if is possible to retain access to an object after
    the Create/Owner or an administrator has changed >the ACL simply by
    maintaining an open handle. If the requestor is a service or server-program
    that is expected to run 24/7 >the object will remain accessible long after
    the ACL has been altered [thing ISAPI,extended stored procedures, et al].
    
    I believe that in domain environments, where the "Enforce user logon
    restrictions" setting (Under Kerberos Policy) is enabled by default, this
    kind of thing is mitigated by forcing a check against the "access computer
    from network" permissions each time a session key is requested.  Is that
    different than you have found?  I know that a "deny access" works instantly,
    but you would then have to take an extra step there...  This worked in my
    config, anyway.
    
    Of course, if they were already granted a session key for the resource, then
    I think you are right.  You would have to force a disconnect with logon time
    restrictions otherwise...  Then again, I wonder what would happen after the
    default lifetime for a user ticket expired (10 hours), and the access tokens
    were renewed?   Hmmm.
    
    Later man!
    AD
    



    This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 08:27:06 PDT