How to run WCF IPC (http) on localhost without requesting administrative privileges? - windows

We're developing a set of applications that need to communicate with each other on the user's session. These applications do not require any administrative privileges to run, but as soon as one of them tries to open an http listener - it fails due to lack of the administrative credentials. On the other hand, since user doesn't have any admin rights, he can't configure an HTTP ACL as well.
Is there any way to allow http/REST communication between the processes on a localhost inside the non-administrative user session?
Example of the apps: a tray app plays a role of a service and multiple sticky-note apps talking to it to save data.
Does it means that Microsoft forces me to use ONLY Named Pipes for IPC in the local user session if the user doesn't have admin rights (can't install with the admin rights)?

I have not personally done this, but I would think that you'd need to do the HTTP namespace/ACL registration in an installer which is running with administrative priviledges.

Use the dos command:
netsh http add urlacl url=http://+:8083/path1 user=USERNAME
NOTE: replace the port, the path and the USERNAME with your own

Related

WNetGetConnection and run as admin

I need to call WNetGetConnection to get the UNC path and it works good when application run as standard user but it returns 1201(ERROR_CONNECTION_UNAVAIL) error code when application run as admin. According to the documentation its working as expected.
If the network connection was made using the Microsoft LAN Manager
network, and the calling application is running in a different logon
session than the application that made the connection, a call to the
WNetGetConnection function for the associated local device will fail.
The function fails with ERROR_NOT_CONNECTED or
ERROR_CONNECTION_UNAVAIL. This is because a connection made using
Microsoft LAN Manager is visible only to applications running in the
same logon session as the application that made the connection. (To
prevent the call to WNetGetConnection from failing it is not
sufficient for the application to be running in the user account that
created the connection.)
that means its not possible at all to get the UNC path from the app running as admin ? Is there some other way ?
This is by design. Network shares created by a non-elevated account are not visible under elevation, and vice versa.
See this question on Super User for discussion of the issue. There is apparently a registry setting that enables mapped drives to be shared between elevated and non-elevated accounts but I've never tried it myself.
Network connections cannot normally be shared across different Windows login sessions. This is regardless of admin account / elevation level. Each Windows login or impersonation session needs to create its own network connections.

Detecting registered & running service without administrator rights

I have a desktop application should behave differently depending on if an optional service is running. I was using the service control manager to check if the service was registered, and if so, whether or not it was running. This worked well until I realized that this seems to require the desktop application to run as administrator.
What would be the best way of checking these conditions (registered and running) in my desktop application, without requiring administrative rights?
You do not need admin rights to query the SCM for service information.
Call OpenSCManager() requesting SC_MANAGER_CONNECT access, then call OpenService() requesting SERVICE_QUERY_STATUS access. That will tell you if the service is installed or not. If so, then call QueryServiceStatus() to find out if it is running or not.
As I'm more familiar with the C# side, I'm not sure if there's a formal API for doing this in C++ that doesn't require some form of elevated privileges. That said, a couple of alternatives come to mind.
You could have your service open a server socket and listen on the localhost address (127.0.0.1) on a specific port. When your application starts running, it would connect to this address. If the connection succeeded, your service is running.
Another option would be to have your service create a named, system-level mutex when it starts running and close it when the service closes. Your application could check to see if the mutex exists. If it does, your service is running.
HTH

How does Bitvise SSH Server authenticate user without a password?

Since version 5.50 the Bitvise SSH Server allows connected client to authenticate to Windows user account without providing this user's Windows password. See here: https://www.bitvise.com/ssh-server-version-history
I've checked it myself - it does indeed.
My question is of pure curiosity: what kind of sorcery is this? Is there any WinAPI that allows such thing or is this some kind of clever hack? I always thought it is impossible to impersonate as other user without a password (as even when configuring Windows service or scheduled task to "run as user" it is neccessary to provide one).
IIRC, the SSH server in Cygwin does the same thing.
If you have the appropriate privileges you can create an access token with ZwCreateToken, no password required. Such a token has some limitations. For example, you can't access network resources without a password and some encrypted material isn't accessible.
There's an explanation and some sample code here.
Since version 5.50, Bitvise SSH Server comes with a Windows authentication package. An authentication package can enhance the Windows logon process in custom ways. When the SSH server needs to log you in, but does not have a password (e.g. because you logged in with a public key), it calls the authentication package to construct a logon token which closely resembles the logon token that would have been created by Windows. As arx has noted, a session created this way does not contain your authentication credentials, so side effects are that you can't access things like network resources and EFS.

Network access to windows service

I have problem with creating service that has access to files on network disk.
Service must have admin rights and it will be run by users that don't have admin privileges.
I send path as UNC
and file is seen by service but it return ACCES_DENIED errors when try to open or do anything on Network drive.
When I run my service as server , everything works fine.
I try to find answer but everywhere I can found only partial answers that do not help me at all.
========
I read that standard service logged as SYSTEM can't have access to network.
So i tried to log id as
NetworkService, LocalService
It didn't work. After run it as one of those user my service can't save files on c:
Some kind of admin account.But I didn't manage to success on that.
Actually logged user.
I don't know how to get password for current user.
Still this will not work for user without admin rights.
========
Please tell me what can I do?
There are plenty of Services that use somehow network resources. How do they do that?
You need to configure your service to run as a user which has sufficient rights. In this case you are looking for rights to network shares. Typically that's going to need a domain user with appropriate rights. Normally you'd ask your network manager to create a dedicated user account for the purpose.
You appear to be labouring under some false information as to how services work. You talk about running the service under the account of the logged on user. Remember that services run when there are no users logged on. And remember that there may be multiple logged users at any point in time.
For me, the port was getting blocked through firewall, I had to add a inbound rule and specify the port which i was using in my application. This way firewall did not blocked my port for outgoing connections.
References:
https://www.firehousesoftware.com/webhelp/FH/Content/FHEnterprise/FHEnterpriseInstallationGuide/24_StaticPort.htm

Deny application network access in windows shell

I'm going to write a script to disable/enable network access for applications in windows. My idea was to write a script that runs a windows shell command that do this.
The scripting is the easy path, but i don't know how to do the "denying" part. Any ideas?
This sounds like a task better suited to letting Windows user / group security handle.
For example, assuming you're on Active Directory and have administration privileges, you could create a user account with the very specific access your app needs, and configure your app to authenticate with the network using that user's credentials.
Then your app through AD would access the network within the constraints of that user account's privileges, and if necessary deny them access to specific network resources.

Resources