[AccessD] OT (sorta) security impersonation

Erwin Craps - IT Helps Erwin.Craps at ithelps.be
Wed Dec 10 01:48:13 CST 2003


One small but important remark from a security point of view.

"One should never store admin passwords!" 
Create a account with sufficient rights for your purpose and use that
account.

Never Never store an admin password, if you put it straigth in code it
can be simply scanned in you code (compiled or not).

Erwin


-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Brett
Barabash
Sent: Tuesday, December 09, 2003 10:23 PM
To: 'Access Developers discussion and problem solving'
Subject: RE: [AccessD] OT (sorta) security impersonation

Thanks Drew.
I was specifically interested in copying files to the WINNT\System32
directory (e.g. ocx, dll files).
I downloaded some impersonation code (my Nicholson's a little rusty, but
I can do a good Dubya.  Just think "nucular") from PSC but couldn't get
it to run on our W2K network.  After a lengthy search (MSDN no longer
has it), I found the NTSVC.OCX file.  I will take a look at it; probably
just what I need.

>From your experience, is VB6 stable enough to create services?  The 
>reason
why I ask is because Microsoft has some KB articles that discuss access
violation errors occuring from the OS interacting with VB's AddressOf
function when run as a service. 


-----Original Message-----
From: Drew Wutka [mailto:DWUTKA at marlow.com]
Sent: Tuesday, December 09, 2003 2:51 PM
To: 'Access Developers discussion and problem solving'
Subject: RE: [AccessD] OT (sorta) security impersonation


2 things.  First, if you are copying things to the DESKTOP, that
shouldn't be under WINNT, it will be under Documents and Settings.

If you are still trying to get to the WINNT folder (and subfolders),
then you have a few options.  The first is to impersonate an Admin user.
Quite frankly, I'm not the person to ask on this, if you really want to
go this route, email me offlist, and I'll have my co-worker send you
some code, he's pretty good with the NT impersonation stuff.  The
second, which I have used many times myself, is to create an NT service,
like you mentioned.  The easy part of the service project is that you
can setup the service to run as a particular account, so you can put in
the name and password of an Admin account, and that service .exe will be
run under those credentials automatically.  I use the NTSRVC.ocx, which
is pretty easy to use, it handles all of the service 'events', etc.  

Drew

-----Original Message-----
From: Brett Barabash [mailto:BBarabash at tappeconstruction.com]
Sent: Tuesday, December 09, 2003 1:23 PM
To: 'accessd at databaseadvisors.com'
Subject: [AccessD] OT (sorta) security impersonation


For quite a while now I have used a simple batch file to automatically
copy new files to a users' desktop.  Now, I have a new challenge.
All of our workstations are configured to restrict access to the WINNT
directory and its subdirectories.  To copy a file to these directories I
need to be logged on as an admin.
I would like to develop a VB app that would run on each desktop, either
as a normal executable or as a service, that would authenticate itself
as an admin and copy the necessary files.  If I run it as a service, it
looks like I can setup a security profile for the service in the control
panel.
 
Has anyone out there done anything like this?
Drew, I know that you have a lot of experience with creating services.
Any good resources that you can point me to?
 
Brett Barabash, MCP
Tappe Construction, Co. 
Eagan, MN
bbarabash at tappeconstruction.com
(651) 256-6831 

"One thing a computer can do that most humans can't is be sealed up in a
cardboard box and sit in a warehouse."  -Jack Handey

 

------------------------------------------------------------------------
----
----------------------------------------
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error please notify the originator of
the message. This footer also confirms that this email message has been
scanned for the presence of computer viruses.

Any views expressed in this message are those of the individual sender,
except where the sender specifies and with authority, states them to be
the views of Tappe Construction Co.

Scanning of this message and addition of this footer is performed by
SurfControl E-mail Filter software in conjunction with virus detection
software.
_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com
_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com

------------------------------------------------------------------------
--------------------------------------------
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error please notify the originator of
the message. This footer also confirms that this email message has been
scanned for the presence of computer viruses.

Any views expressed in this message are those of the individual sender,
except where the sender specifies and with authority, states them to be
the views of Tappe Construction Co.

Scanning of this message and addition of this footer is performed by
SurfControl E-mail Filter software in conjunction with virus detection
software.

_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com


More information about the AccessD mailing list