[OpenAFS] UAC in Windows 7 prevents importing Kerberos TGT to NIM

Jeffrey Altman jaltman@secure-endpoints.com
Mon, 11 Apr 2011 07:57:56 -0400


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig2D93523461CC63080AA0B9D1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 4/11/2011 4:51 AM, Erik Dal=C3=A9n wrote:

> Would it be possible to do the import but with an UAC prompt?

Doing so would bypass what little security benefit UAC mode provides.
The reason the TGT is not exported from the LSA when UAC is active is
that with the TGT a process can be locally created with full admin
privileges without prompting the user.

While I could implement such a thing, I won't.  If you want to bypass
the restrictions of UAC, turn it off.  Otherwise, do what is actually
secure and use separate accounts for day to day activities and
administrative purposes.

Jeffrey Altman


--------------enig2D93523461CC63080AA0B9D1
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJNouzGAAoJENxm1CNJffh4U5cH/A0IMWcYvWz/6LMaJ8yyNG4A
SpHxm6+k0FvolRYTqF+dMgNDqMDXqpA4vKMpauebwTgW5sgClar41CwnPFFYtbQn
4cTUOsdn0vrTq+o62ucIVKN7lTpWkteq0x+yOW3fBK5sJZ1tFqNNDuuPMnOi+KS8
GiByjT+OFKy/IM9YmTG0W1X2njivHEr64/CQn1o6eQrO9Y6ojbFSBClohnXx91/3
bFDijz+U/DKJea9AkG29cFWA1WCVRkrrK0i1c+IOXcKq1Fi8yyQDxuWkvwIZEpXz
ig1Z4UaejxFBmLbj/lcNWwREu9rvuoDnw84U7rWR7rMw4niybTsMnEDvxP3EwOI=
=xIuV
-----END PGP SIGNATURE-----

--------------enig2D93523461CC63080AA0B9D1--