0

I went and looked at a service that was run by a domain user.

The process for the service read from a file on the machine's hard drive, and in the ACLs for that service there was an ACE for the local domain administrator group.

And inside the domain administrator's group, there was the domain account that runs the service...to complete our circular logic...for one pass...

So what sort of authentication is this considered?

  • AD/Keberos ?
  • NTLM ?

Or is it like both?

leeand00
  • 4,807
  • 13
  • 64
  • 106
  • Huh? Authentication takes place when the service starts up, and should use Kerberos but might wind up using NTLM if Kerberos fails for any reason. The authentication method is not determined by group membership and cannot be affected by what sort of ACLs you are using. Nor do I see what you mean by "circular logic", the setup you describe is not best practice in terms of security but otherwise seems perfectly normal. – Harry Johnston Jun 10 '19 at 21:28
  • ... it kind of sounds like you are confusing authentication and authorisation? – Harry Johnston Jun 10 '19 at 21:29
  • @HarryJohnston I bet I am. – leeand00 Jun 10 '19 at 21:29
  • @HarryJohnston So authorization then is the os allowing the process’ user account to rwx the file then? – leeand00 Jun 10 '19 at 21:32
  • Technically authorisation includes the process of figuring out which groups a user is in, and in Windows that aspect of it does happen via the same mechanism (Kerberos or NTLM) as authentication. But they're still logically distinct, and in particular the group membership doesn't affect and shouldn't be affected by the authentication method chosen - provided everything is working as designed, at least. And yes, Windows checking whether the process is allowed to open the file and what it is allowed to do to it is also authorisation. – Harry Johnston Jun 10 '19 at 21:42

0 Answers0