[cvsnt] Impersonation Windows 2003 Server

Pascal Van Cauwenberghe pvc at nayima.be
Sun Jul 27 19:55:20 BST 2003


> The problem here is that Microsoft upped the security of the W2003
> server from that on W2K. On W2K the SYSTEM account had permission to
> act in place of any user (impersonation) but in W2003 this permission
> has been denied the SYSTEM account by default. So to make CVSNT work
> in this scenario you need to explicitly grant this right to the SYSTEM
> account.
> (The CVSNT service runs in the context of the SYSTEM account until the
> user has been verified against the account database.)

This privilege has been added in Win2003 and Win2000sp4. The installer for Win2000sp4 grants the privilege to services.

For more info, see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/impersonatesecuritycontext.asp

If anyone's interested, I can write the necessary code to verify the presence and setting of the "SeImpersonatePrivilege" privilege. That would enable the sspi handler to generate a more descriptive diagnostic.

Another question about the cvsservice and lockservice: why are they registered as "interactive" services (with access to the desktop)? As far as I can see, neither the service, nor the cvs generates any UI elements. I wouldn't see them anyway, as usually nobody's logged into the server. :-)

Pascal Van Cauwenberghe
Nayima bvba
http://www.nayima.be/
http://www.xp.be/
-----
Meet us at the XP Day Conference, November 21st in Breda
http://www.xpday.be/


More information about the cvsnt mailing list