WinSecWiki > Security Settings > Local Policies > User Rights > User Rights In-Depth > Impersonate a client

Impersonate a client after authentication

KA: SeImpersonatePrivilege, Impersonate a client after authentication

Default assignment: Administrators, SERVICE

This sensitive right allows a server application that accepts authenticated client connections over one of Windows inter process communications components (e.g. RPC, named pipes or COM) to impersonate that client user while accessing resources on the server on behalf of the user. Restricting this right prevents just anybody from creating a RPC, named pipe or COM based application and then convincing users to access it for the purpose of hijacking their credentials.

Since this right is assigned by default to the special principle, SERVICE, all services and COM servers started by the COM infrastructure and that are configured to run under a specific account also have this right by virtue of SERVICE being in their access token. Because of this, be aware that any code you run as a service or through COM automatically gets the right to impersonate clients that connect to it.

This right should only be assigned to trusted server applications that need to be able to impersonate the client user. Note that programmers modifying code that runs in such an application could insert malicious code to perform actions as a targeted end-user. This is just one reason why code reviews and change control are so important in a development environment.

Upcoming Webinars

Additional Resources

User Rights In-Depth

•	Access from Network
•	Act as OS
•	Add Workstations
•	Adjust Memory Quotas
•	Allow log on locally
•	Allow Terminal Services logon
•	Backup Files & Directories
•	Bypass traverse checking
•	Change the system time
•	Create a pagefile
•	Create a token object
•	Create global objects
•	Permanent shared objects
•	Debug programs
•	Deny network access
•	Deny logon as a batch job
•	Deny logon as a service
•	Deny logon locally
•	Deny Terminal Services logon
•	Enable trusted for delegation
•	Force shutdown remotely
•	Generate security audits
•	Impersonate a client
•	Increase scheduling priority
•	Load and unload device drivers
•	Lock pages in memory
•	Log on as a batch job
•	Log on as a service
•	Manage auditing and security log
•	Modify firmware values
•	Volume maintenance
•	Profile single process
•	Profile system performance
•	Remove from docking station
•	Replace process level token
•	Restore files and directories
•	Shut down the system
•	Sync directory service data
•	Take ownership of files & objects

User name:
Password:
	/ Forgot?
	Register

July 2024 Patch Tuesday	"Patch Tuesday - Four Zero Days " - sponsored by Supercharger for Windows Event Collection

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.