Mounting CIFS share using C++ - windows

Is there a Windows C++ API to execute a command as a different user ? I am trying to mount a CIFS share from a service which is running as sys admin and I am currently logged in as a Kiosk user so when I try to mount the share using "net use .." I get access denied.

With CreateProcessWithLogin, you can execute a command with an arbitrary user provided you have valid credentials. Alternatively, can can use a combination of LogonUser and CreateProcessAsUser / CreateProcessWithToken.
Rather than requiring credentials including a password stored as plaintext (not recommended from a security POV), you could also grant required permissions to the kiosk user so that the current user context is sufficient for accessing the data and/or mapping the network drive.
If that is not an option, your application could have a manually configured persistent network drive as a prerequisite. The credentials would then be managed by Windows.

Related

Unable to access UNC path via windows service even when using same user for service

I have a windows vm and have created an Admin user, let's say - AdminUser. I have mounted an azure file share to that user to Z: drive. The share can be accessed by unc path or the drive path. I also have a c# utility that checks if path exists and it returns true when I run it. This is all good. Now when I created a windows service with that utility and with same user credential, it throws an error that the path doesn't exist.
Things to note -
The service user or the user I used to login is a local adminstrator user and while creating the service, I had provided as "./AdminUser" to CreateService. Also provided password to config.
The VM is also connected to a domain. So I have users from default-domain\* and connected-domain\*. The connected-domain linked to an azure active directory.
Is there any other type of user I need to set as log on to service?
I can see here it says the local user can't access network resources but I am wondering since I mounted the path with proper credentials, does this matter?
Update:
Got the same issue when using running as with the exe.
runas /user:USER­NAME “C:\full\path\of\Program.exe”
We have to use cmdkey to store the credentials that can be used by SMB later. Launch a cmd.exe with the user that you want to use for the service using either context menu or command e.g.
runas /user:default-domain\domainServiceUser cmd
Then in the new command shell use cmdkey
cmdkey /add:<storagteAccountName>.file.core.windows.net\<shareName> /user:AZURE\<storageAccountName> /pass:<storageAccountKey>
Rerun the service and it should work.
If you want to also mount this as a persistent drive, you can use
Command Prompt
net use z: \\<storagteAccountName>.file.core.windows.net\<shareName> /persistent:yes
Powershell
New-PSDrive -Name Z -PSProvider FileSystem -Root "\\<storagteAccountName>.file.core.windows.net\<shareName>" -Persist
Make sure that the user is exactly the same that would be used for the windows service including the domain i.e. use default-domain\domainServiceUser or ./AdminUser for running the cmdkey.
Though the user account is same, when the windows service runs as a 'user' the logon session that it gets is different than the interactive user session (which has the Z drive). Unless you programmatically load the Azure fileshare as a network drive in your code that is part of the Windows service, you won't be able to access it.

Get-Content requires admin rights when run remotely

I wish to open and process a text file on a remote Windows server using PowerShell.
We have something (roughly) like the following:
$path = "\\server1\c$\Users\gavin\Desktop\mylogfile.log"
Get-Content $path
Apparently, I can only get this to work when I have Admin rights to server1.
For security reasons, I cannot have unlimited access to all the servers I wish to access.
Is there a way of getting around this, given that I can only have less than full Admin rights?
I am thinking in terms of getting IT to alter my group privileges etc. on the remote machine(s).
\\server1\C$ is a so-called administrative share. They're hidden shares for administrator access to remote computers' filesystems. Accessing these requires admin privileges for security reasons.
Ask an administrator to create a dedicated share that allows you access, or (better yet) have the servers create the logs in a central location to which you have access.

Device Driver access permissions for domain users in Windows 7

I'm writing a Windows device driver for a custom USB device, but am having trouble opening the device from my user program (using CreateFile) when the user program is run as a domain user. If I run as a local user, or as an administrator (or 'Run As' administrator) I can open the driver fine, but as a domain user GetLastError returns 5 (access denied).
I originally had this problem with local users too, and found I had to add the following SDDL entry to the .inf file, which solved the problem for local users:
HKR,,Security,,"D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW;;;BU)
From this reference:
http://msdn.microsoft.com/en-us/library/windows/hardware/ff563667(v=vs.85).aspx
When I discovered that domain users did not have access I thought that simply adding them to this SDDL entry would give them access, but it doesn't seem to work: I still get access denied. I've even tried extreme solutions such as giving all users (everyone (WD), unauthenticated users etc.) full access, but this doesn't work either, which makes me think the problem lies elsewhere; i.e. something else is denying domain users access which takes precedent over the permit in the SDDL entry in the driver inf.
So my question is, what am I missing that is required to give domain users (or all users) access to connect to the driver? Or are there any other solutions to this problem (such as connecting to the driver as a service and then accessing this service from the user program)?
HKR,,Security,,"D:P(A;;GA;;;WD)"
set everyone can access, try it!

Connect share with credentials during setup with different profile

I am working on the examination system and need to implement the following scenario:
User ( standard windows user ) completes the exam and then it is saved on the network share.
For security reasons the share does not have permissions for this user account. So I use impersonation API ( LogonUserEx, ImpersonateLoggedOnUser, RevertToSelf).
It all worked fine when the user with which I do the impersonation had admin privileges on the
local computer but the requirements are that it will be standard user.
With standard user the share is not visible. When I log in interactively with this user the share is visible and writable. So I assume that the standard user can not mount share when not logged in interactively. Is this correct? Is there a workaround?
The only time my code runs with elevated privileges is during the setup of the software.
I thought about using WNetAddConnection2 API but I need the share to be mounted to
this "hidden" user profile and not the administrator one that runs the setup.

Deny application network access in windows shell

I'm going to write a script to disable/enable network access for applications in windows. My idea was to write a script that runs a windows shell command that do this.
The scripting is the easy path, but i don't know how to do the "denying" part. Any ideas?
This sounds like a task better suited to letting Windows user / group security handle.
For example, assuming you're on Active Directory and have administration privileges, you could create a user account with the very specific access your app needs, and configure your app to authenticate with the network using that user's credentials.
Then your app through AD would access the network within the constraints of that user account's privileges, and if necessary deny them access to specific network resources.

Resources