Endpoint Administration Guide for Windows › Protecting Accounts › User Impersonation Protection › Kernel Mode Interception

Kernel Mode Interception

If you enable kernel mode interception, CA ControlMinder intercepts every impersonation request from all Windows processes. Kernel mode interception is not available on all supported Windows versions.

Note: For more information about the Windows versions for which kernel mode interception is not available, see the Release Notes.

An advantage of kernel mode interception is that it lets you protect every impersonation request that is made on a Windows computer.

The disadvantages of kernel mode interception include:

• If the NT AUTHORITY\SYSTEM user impersonates the requesting user and makes the impersonation request, CA ControlMinder does not identify the user who made the original impersonation request.

  For example, RunAs, ftp, and telnet requests are all made by the NT AUTHORITY\SYSTEM user. If Tom executes RunAs to impersonate Administrator, the NT AUTHORITY\SYSTEM user makes the impersonation request and CA ControlMinder identifies NT AUTHORITY\SYSTEM as the requesting user.

• CA ControlMinder intercepts every impersonation request that the OS makes as part of its normal operation, which may have a performance impact.

  Although CA ControlMinder caches impersonation requests, the authorization engine must still authorize many impersonation events.