Impersonate a client after authentication

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Impersonate a client after authentication

Description

Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels.

Caution

  • Assigning this user right can be a security risk. Only assign this user right to trusted users.

Default:

  • Administrators

  • Service

Note

  • By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started.

    In addition, a user can also impersonate an access token if any of the following conditions exist.

    • The access token that is being impersonated is for this user.

    • The user, in this logon session, created the access token by logging on to the network with explicit credentials.

    • The requested level is less than Impersonate, such as Anonymous or Identify.

    Because of these factors, users do not usually need this user right.

    For more information, search for "SeImpersonatePrivilege" in the Microsoft Platform SDK.

Configuring this security setting

You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\

For specific instructions about how to configure security policy settings, see Edit security settings on a Group Policy object.

For more information, see: