Previous Topic: Protecting AccountsNext Topic: User Mode Interception


User Impersonation Protection

When you enable the SURROGATE class in CA ControlMinder, you enable user impersonation protection. User impersonation protection lets you specify that a user or group can only change their SID (security identifier) to another SID if a specific rule permits the change. This prevents a user from impersonating another user's identity if they are not authorized to do so.

Note: A security identifier is a numeric value that identifies a user or group to the operating system.

For example, you define a CA ControlMinder rule that prevents any user from impersonating Administrator. User Tom tries to run a program that performs some tasks as Administrator. CA ControlMinder does not permit the program to execute because Tom does not have permission to impersonate Administrator.

You can run user impersonation protection in two modes: