模拟虚拟服务帐户 [英] Impersonation with Virtual Service Accounts

问题描述

我有一些ProgramData文件，我只想让我的服务能够与之互动。 目前的目的是创建一个新流程并使用"服务隔离"将ACL分配给文件，以便只有该流程才能访问它们。 服务
隔离似乎是虚拟服务帐户的兄弟。 如果我可以在其他进程中使用模拟来访问这些文件也会很方便。 我目前认为这是不可能的，但我想确认一下。 
如果无法模拟，我需要为特权进程提供一种机制，将其信息传递给其他相关进程。

I have some ProgramData files I'd like only my services to be able to interact with.  The current intention is to create a new process and use 'Service Isolation' to assign ACL's to the files such that only that process has access to them.  Service Isolation appears to be a sibling of virtual service accounts.  It would be convenient if I could use impersonation in other processes to access those files as well.  I'm currently under the impression this isn't possible, but would like to confirm.  If impersonation isn't possible, I'll need to provide a mechanism for the privileged process to pass its information to other relevant processes.

作为参考，LogonUser代码I用于接收令牌的访问权限如下：

For reference, the LogonUser code I'm using to receive access to the token is the following.

CString strUser = _T ("NT SERVICE\\MyServiceName");
BOOL bSuccess = LogonUser (strUser,
			L".",
			_T(""),
			LOGON32_LOGON_BATCH,
			LOGON32_PROVIDER_DEFAULT,
			&hUser);

如果其他人在处理类似的问题，还有其他一些问题：

A couple other questions, if others here are working on similar problems:

1）我很好奇常见的是保护与服务相关的ProgramData并阻止访问。

1) I'm curious how common it is to secure ProgramData associated with services and prevent access.

2）如果常见，其他人如何解决这个问题？

2) If it is common, how are other folks solving this problem?

3）是否可以模拟虚拟服务（当然）？

3) Is it possible to impersonate a virtual service (of course)?

推荐答案

感谢您在这里发帖。

>> 1）我很好奇保护与服务相关的ProgramData并阻止访问是多么常见。

2）如果它很常见，其他如何解决此问题的人 ？

3）是否可以模拟虚拟服务（当然）？

我无法告诉你确切地保护ProgramData有多常见。据我所知，Microsoft提供这些Windows API以开始冒充。您可以选择合适的一个。

I couldn't tell you how common it is to secure ProgramData exactly. As far as I know, the Microsoft provide these Windows APIs to begin an impersonate. You could choose a suitable one.

• DDE服务器应用程序可以调用DdeImpersonateClient函数来模拟客户端。
• 命名管道服务器可以调用ImpersonateNamedPipeClient函数。
• 您可以调用ImpersonateLoggedOnUser函数来模拟已登录用户的访问令牌的安全上下文。
• ImpersonateSelf函数使线程能够生成自己的访问令牌的副本。 
• 您可以调用SetThreadToken函数使目标线程在指定的模拟令牌的安全上下文中运行。
• Microsoft远程过程调用（RPC）服务器应用程序可以调用RpcImpersonateClient函数来模拟客户端。
• 安全包或应用程序服务器可以调用ImpersonateSecurityContext函数来模拟客户端。

• A DDE server application can call the DdeImpersonateClient function to impersonate a client.
• A named-pipe server can call the ImpersonateNamedPipeClient function.
• You can call the ImpersonateLoggedOnUser function to impersonate the security context of a logged-on user's access token.
• The ImpersonateSelf function enables a thread to generate a copy of its own access token. 
• You can call the SetThreadToken function to cause the target thread to run in the security context of a specified impersonation token.
• A Microsoft Remote Procedure Call (RPC) server application can call the RpcImpersonateClient function to impersonate a client.
• A security package or application server can call the ImpersonateSecurityContext function to impersonate a client.

有关详细信息的更多信息，请参阅以下文档。

For more information about the detail information, please refer to this document below.

< a href ="https://msdn.microsoft.com/en-us/library/windows/desktop/aa376391(v=vs.85).aspx"> https://msdn.microsoft.com/en-us/ library / windows / desktop / aa376391（v = vs.85）.aspx

希望这对你有帮助。

最诚挚的问候，

Baron Bi

这篇关于模拟虚拟服务帐户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！