M
MedwardsPTC
Guest
I have some ProgramData files I'd like only my services to be able to interact with. The current intention is to create a new process and use 'Service Isolation' to assign ACL's to the files such that only that process has access to them. Service Isolation appears to be a sibling of virtual service accounts. It would be convenient if I could use impersonation in other processes to access those files as well. I'm currently under the impression this isn't possible, but would like to confirm. If impersonation isn't possible, I'll need to provide a mechanism for the privileged process to pass its information to other relevant processes.
For reference, the LogonUser code I'm using to receive access to the token is the following.
CString strUser = _T ("NT SERVICE\\MyServiceName");
BOOL bSuccess = LogonUser (strUser,
L".",
_T(""),
LOGON32_LOGON_BATCH,
LOGON32_PROVIDER_DEFAULT,
&hUser);
A couple other questions, if others here are working on similar problems:
1) I'm curious how common it is to secure ProgramData associated with services and prevent access.
2) If it is common, how are other folks solving this problem?
3) Is it possible to impersonate a virtual service (of course)?
Continue reading...
For reference, the LogonUser code I'm using to receive access to the token is the following.
CString strUser = _T ("NT SERVICE\\MyServiceName");
BOOL bSuccess = LogonUser (strUser,
L".",
_T(""),
LOGON32_LOGON_BATCH,
LOGON32_PROVIDER_DEFAULT,
&hUser);
A couple other questions, if others here are working on similar problems:
1) I'm curious how common it is to secure ProgramData associated with services and prevent access.
2) If it is common, how are other folks solving this problem?
3) Is it possible to impersonate a virtual service (of course)?
Continue reading...