9.7 Impersonation

  • Article

Authentication protocols specified in [MS-KILE] and [MS-APDS], transport authorization data based on security identifiers (SIDs) and populate the user SID and security group SIDs in the impersonation token. By default, all fields of the token are NULL and the token is not valid until populated by these protocols.

The authentication protocols query the local account database for the built-in and local group membership by passing the user SID and security group SIDs ([MS-DTYP] section 2.5.2.1.1), and then updating the impersonation token. Then, the authentication protocols populate the privileges of the impersonation token ([MS-DTYP] section 2.5.2.1.2).

If an authentication takes place across a network, the impersonation token is populated with the NETWORK group SID defined in [MS-DTYP] section 2.4.2.4.

SMB Impersonation

The CIFS/SMB/SMB2 protocols allow for the transport of an impersonation level, but although the requested impersonation level carried by the SMB protocols is checked by the server for validity, it is not acted on by any component of the SMB processing path. Therefore for the SMB family, impersonation can be described as having no meaning.

An added confusion arises because the basic principle of an SMB server operation is sometimes referred to as impersonating clients. The reason for this is that for each create or open operation, the SMB server passes the session's authenticated security context to the object store to authorize access to the file for the specified desired access. Because the SMB server is a privileged entity, it is said to be impersonating the remote client. However, the remote client does not direct this process and cannot request any other impersonation service. Subsequent operations involving the previously issued handle do not require further authorization, as the checks were performed at the time of initial access.

A few other SMB operations perform authorization decisions based on the authenticated security context, such as TreeConnect, Access-Based Directory Enumeration (ABDE) in SMB2 and quota info. However, none of these operations provide an impersonation level.