User impersonation protection lets you set rules to permit or deny requests to impersonate specific users and groups.
To enable user impersonation protection
HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\ SeOSD\SurrogateInterceptionMode
Note: User mode interception is enabled by default.
setoptions class+(SURROGATE)
auth SURROGATE USER.Administrator uid("NT AUTHORITY\SYSTEM") acc(R)
Windows identifies many utilities and services (for example, Run As) as user "NT AUTHORITY\SYSTEM" and not as the user running the utility. You must define a rule for the SYSTEM user to let users who run these utilities impersonate another user.
Example: Permit Any Impersonation Request
The following selang rule lets any user impersonate another user, unless a record in the database explicitly prevents the impersonation:
editres SURROGATE _default defaccess(READ)
Example: Prevent Impersonation of a Specific User
The following selang rule prevents any user impersonating Administrator, unless a record in the database explicitly permits the user impersonation:
newres SURROGATE USER.Administrator defaccess(NONE)
Example: Permit a Group to Impersonate a User
The following rule permits members of the Administrators group to impersonate Administrator:
authorize SURROGATE USER.Administrator gid("Administrators")
Copyright © 2013 CA Technologies.
All rights reserved.
|
|