NamedPipeClientStream 抛出 UnauthorizedAccessException：对路径的访问被拒绝

Question

I have reviewed lots of similar questions but none seems to cover this case. So please check the details before assuming it is a duplicate.

Scenario: I have a client and server application written in c# targeting .NET Framework 4.7.2 that communicates using NamedPipeClientStream and NamedPipeServerStream respectively.

The server is running as the local administrator account and creates the NamedPipeServerStream like this:

PipeSecurity ps = new PipeSecurity();
ps.AddAccessRule(new PipeAccessRule(WindowsIdentity.GetCurrent().Owner, PipeAccessRights.FullControl, AccessControlType.Allow));
ps.AddAccessRule(new PipeAccessRule(new SecurityIdentifier("S-1-5-32-544"), PipeAccessRights.ReadWrite, AccessControlType.Allow));
NamedPipeServerStream mypipe = new NamedPipeServerStream("mypipe", PipeDirection.Out, 1, 0, PipeOptions.WriteThrough, 0, 0, ps);
mypipe.WaitForConnection();

On the server I have created a local account called "testuser" that is a member of the local administrators group. This account is used for authentication on the client when connecting to the Named Pipes over the network.

The client program is running as a local user on a different machine connected via network and creates the connection like this:

NamedPipeClientStream mypipe = new NamedPipeClientStream("<ip of server>", "mypipe", PipeDirection.In, PipeOptions.None);
mypipe.Connect();

When running the server software on Windows Server 2012 this works fine. But on Windows Server 2016 and Windows Server 2019 I get the UnauthorizedAccessException. If instead of my local user "testuser" I authenticate with the built-in Administrator account over the network, it works fine on all three version of windows server.

If I change the pipe security to use a SID of for example S-1-5-11 to allow "authenticated users" it also works on all three versions but the requirement is to only allow members of the local administrators group from connecting to the server over the network. Ideally it should not matter if the account is a local or domain account, but I have only tested with local accounts.

I have done some debugging using Event Viewer on the server and I can see Event 5145 (Detailed File Share) with Audit success for my testuser when accessing the pipe, but the client still reports UnauthorizedAccessException.

Is there any way to restrict access for only members of the local administrators group on windows server 2016 and 2019?

Answer 1

If anyone else runs into this problem I found the cause. The problem was "UAC remote restrictions". More information can be found in Microsoft's KB 951016

If a local account is a member of the Builtin\Administrators group and authenticates over the network for instance to an SMB share such as \\remotecomputer\C$ or a named pipe, the account will not authenticate as a "full" administrator and thus not have access to administrative resources. Such accounts will have to be elevated from a interactive logon such as RDP to gain full administrative privileges. As such, my scenario with builtin accounts does not work because of this security feature.

There seems to be three ways to handle this problem.

1. Disable this security measure in the registry (probably not recommended).
2. Use a domain account and add that as a local administrator. This security restriction appears to only affect SAM (local) accounts.
3. Only use the builtin Administrator account as this is also not affected by the security restriction.

Note that if the registry is edited incorrectly there might be serious consequences. So backup the registry before performing any changes. The following instructions are based on Microsoft's article on the subject:

To disable the restriction in the registry:

1. Open the registry using regedit and select the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
2. Create the following key (type DWORD) if it does not exist, otherwise just edit it to have a value of 1: LocalAccountTokenFilterPolicy .