Impersonation and named pipes.

Someone asked on an internal mailing list why the documentation of security impersonation levels has the following quote:

When the named pipe, RPC, or DDE connection is remote, the flags passed to CreateFile to set the impersonation level are ignored. In this case, the impersonation level of the client is determined by the impersonation levels enabled by the server, which is set by a flag on the server's account in the directory service. For example, if the server is enabled for delegation, the client's impersonation level will also be set to delegation even if the flags passed to CreateFile specify the identification impersonation level.


The reason’s actually fairly simple:  The CIFS/SMB protocol doesn’t have the ability to track the user’s identity dynamically (this is called Dynamic Quality of Service or Dynamic QOS).  As a result, the identity of the user performing an operation on a networked named pipe is set when the pipe is created, and is essentially fixed for the lifetime of the pipe. 


If the application impersonates another user’s token after opening the pipe, the impersonation is ignored (because there’s no way of informing the server that the user’s identity has changed).


Of course if you’re impersonating another user when you call CreateFile call, then that user’s identity will be used when opening the remote named pipe, so you still have some ability to impersonate other users, it’s just not as flexible as it could be.



Comments (2)

  1. Anonymous says:

    I don’t think this is what the MSDN page is talking about.

    The case that you describe is where the application impersonates user A, connects to a pipe, then impersonates user B.

    MSDN page says that if you connect to a remote pipe, and ask for some impersonation level (for example, Identify), your settings are ignored and the server might be able to use your token as if you specified Impersonate or even Delegate.

    Which is really strange considering the fact that impersonation level is purely a client side setting – it’s designed to protect the client from evil servers, so why would you ever want to let the server decide what impersonation level to use?

  2. Anonymous says:

    Hmm.. The thing is that named pipes use only impersonation (unless the server’s trusted for delgation) and static QoS. It’s built into the protocol.

    And the reason is still valid – the CIFS protocol doesn’t support it 🙂

Skip to main content