堆栈内存溢出
  简体   繁体   English

如何防止用户登录仅用于模拟的帐户?

[英]How to prevent user from logon of an account used for impersonation only?

 原文  2011-03-29 14:14:11       c#/ impersonation

问题描述

Currently I have a windows service written in C# (running as LocalSystem) which creates a user account, needed for impersonation, by using the DirectoryEntry to add the user/password and associated UserFlags. 当前,我有一个用C#(以LocalSystem运行)编写的Windows服务,该服务通过使用DirectoryEntry添加用户/密码和关联的UserFlags,创建了模拟所需的用户帐户。 Then it simply uses this account to perform some tasks (using impersonation) using the LogonUser() functionality - works perfectly. 然后,它仅使用此帐户即可使用LogonUser()功能执行某些任务(使用模拟)-完美地工作。

However this account should ONLY be used for impersonation by my service, a user should NEVER be able to login (even if he has the credentials) locally or via the network. 但是,此帐户仅应由我的服务用于模拟,用户永远不能在本地或通过网络登录(即使他具有凭据)。

To accomplish this I tried setting the Local Policies for “Deny logon locally” and “Deny access to this computer from the network” and added the user my service creates. 为此,我尝试为“拒绝本地登录”和“拒绝从网络访问此计算机”设置“本地策略”,并添加了我的服务创建的用户。 Now however impersonation fails with the following: Logon failure: the user has not been granted the requested logon type at this computer (1385) 但是,现在模拟失败,并显示以下内容:登录失败:未在此计算机上向用户授予所请求的登录类型(1385)

So, I guess this is NOT the right way to do it … but I need to secure lockdown the account so it can only be used by my service for impersonation purposes and to ensure that no one else can ever logon to the account (even if they have all the credentials). 因此,我认为这不是正确的方法……但是我需要保护帐户的安全,以便我的服务只能将其用于模拟目的,并确保没有其他人可以登录到该帐户(即使他们拥有所有凭据)。

Is there something in LSA I can use? 我可以使用LSA中的某些内容吗? Or using the DirectoryEntry code similar to when the account was created? 还是使用类似于创建帐户时的DirectoryEntry代码? Is there a way to allow for an account to exist but not allow users to interactively logon? 有没有办法允许帐户存在但不允许用户交互式登录?

Any help would be much appreciated. 任何帮助将非常感激。 Thanks, 谢谢,

1 个解决方案

解决方案1
 0  2011-03-29 14:29:07

You can run the service under the "Network Service" account and grant the server access to the applicable domain resources. 您可以在“网络服务”帐户下运行该服务,并向服务器授予对适用域资源的访问权限。 Other than that, I am not certain there is a way to solve your problem with a user account. 除此之外,我不确定用户帐户是否可以解决您的问题。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 当前登录用户在远程计算机上的WMI模拟 - wmi impersonation on remote computer as currently logon user 将登录设置为管理员用户的模拟和运行服务是一回事吗? - Does Impersonation and running service with logon set to Administrator user is same thing? 表单身份验证-如何防止受骗用户帐户仅知道扩展的用户信息? - Forms Auth - How to prevent dupe user account knowing only extended user information? 使用模拟时获得真实的登录用户 - Get real logged in user when impersonation is used 模拟仅在用户特定时才有效 - Impersonation only works when a user is specificed 模拟远程服务说用户'NT Authority \\ Anonymous Logon'登录失败 - Impersonation on remote service says Login failed for user 'NT Authority\Anonymous Logon' 创建一个只有当前登录用户才能访问的文件夹 - Create a folder only accesible by current logon user 使用特定的登录用户帐户创建Installshield winforms服务 - Installshield winforms service creation with specific logon user account 如何在报表服务中实现用户模拟? - How to implement user impersonation in reporting services? 使用LOGON32_LOGON_NEW_CREDENTIALS进行Windows模拟的魔力是什么? - What is the magic to Windows impersonation with LOGON32_LOGON_NEW_CREDENTIALS?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM