使用NamedPipe访问Windows服务之间的安全性
[英]Access security between Windows Services with NamedPipe
问题描述
I have a C/C++ windows service implementation that is deployed on two different servers, using a NamedPipe so that they can communicate with each other. 
我有一个C / C ++ Windows服务实现,它使用NamedPipe部署在两个不同的服务器上,以便它们可以彼此通信。
I followed the least privilege principle, assigning the service account to "NT AUTHORITY/NetworkService", creating the NamedPipe with a Security Descriptor that has 'Read permissions' (A;OICI;GR;;;NS), blocked anonymous access, blocked all built-in guests, Grant all rights to logged users and Administrators group. 我遵循最小特权原则,将服务帐户分配给“ NT AUTHORITY / NetworkService”,使用具有“读取权限”(A; OICI; GR ;;; NS)的安全描述符创建NamedPipe,阻止匿名访问,阻止所有内置访客,将所有权限授予登录的用户和管理员组。
The services are giving me an "Access Denied (0x5)" error. 服务给我一个“访问被拒绝(0x5)”错误。
Here are the things I tried: 这是我尝试过的事情:
I tried to give all permissions for the "NetworkService" account.
我试图授予“ NetworkService”帐户的所有权限。 I know it is bad :( but just to see whether it works or not! Access Denied 我知道这很糟糕:(但只是看看它是否有效!访问被拒绝 Allowed read permission to Anonymous users (I read that the "NetworkService" account presents anonymous credentials to other computers on the network).
允许对匿名用户的读取权限(我读到“ NetworkService”帐户向网络上的其他计算机提供了匿名凭据)。 Access Denied 拒绝访问
The service is working with my console test application :( but not with another services. The security is critical and I just want both servers to be able to communicate with each other. 该服务正在与我的控制台测试应用程序:(但不能与其他服务一起使用。安全性至关重要,我只希望两台服务器之间能够相互通信。
Can anyone tell me, whether I should create a specific account for each service in both servers? 谁能告诉我,是否应该为两个服务器中的每个服务创建一个特定帐户?
The servers are not in a Domain, so I am not sure how to create a network wide account, or even if it is possible. 这些服务器不在域中,因此我不确定如何创建网络范围的帐户,即使可能也无法确定。 I am not so good with Windows administration stuff! 我对Windows管理的东西不太满意!
Is this the correct direction to take to get the services to communicate with each other? 这是使服务相互通信的正确方向吗?
1 个解决方案
解决方案1
1 2017-03-27 23:14:32
Sounds like you have a design issue. 听起来您有设计问题。
When you wrote "creating the NamedPipe with a Security Descriptor that has 'Read permissions'", the question should be "read permissions for whom ?". 当您编写“使用具有'读取许可权'的安全描述符创建NamedPipe“时,问题应为” 对谁的读取许可权?“。 Permissions are always tied to trustees. 权限始终与受托人相关。
In Windows, trustees don't exist in vacuum. 在Windows中,受托人并不存在于真空中。 They're always defined in some scope. 它们总是在某个范围内定义。 Without a central user database (Active Directory), that would be the local scope of each computer. 如果没有中央用户数据库(Active Directory),那将是每台计算机的本地范围。 And two computers have distinct, non-overlapping sets of trustees. 两台计算机具有不同的,不重叠的受托者集合。 Administrator on one machine is unrelated to Administrator on another. Administrator一台机器上是无关的Administrator在另一个上。
So when you give NetworkService all access to a NamedPipe on one computer, that probably meant you gave the NetworkService trustee from that sam computer access. 因此,当您向NetworkService授予对一台计算机上NamedPipe的所有访问权限时,这可能意味着您从该sam计算机访问权授予了NetworkService受托人。 Not NetworkService from other computers! 不是来自其他计算机的NetworkService !
Fundamentally, without a Primary Domain Controller to function as a shared authority, two Windows PC's just won't trust each other . 根本上,如果没有主域控制器来充当共享权限,那么两台Windows PC便不会相互信任 。 Each is its own security authority. 每个都是其自己的安全授权。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.