Friday, 27 February 2015

Windows Impersonation and the Double Hop Issue

I've been aware of the Windows Double Hop Issue since a long while ago. I used to think of it as a limitation, but reading lately about it I've found out that it's indeed a security feature, but when trying to understand how it's implemented I've gone through some confusion that I think I've finally defeated.

The idea is that the double hop issue is related to impersonation. Usually, when a Thread in a Server Process is impersonating the user in the client machine, for security reasons, the impersonated thread won't be allowed to access remote resources. This is built upon something that I'd never heard about, the Impersonation Level of the Impersonation Token. Most times the kind of Impersonation Token being used has an Impersonation Impersonation Level, rather than a Delegation one. These types of Impersonation Levels are explained here

  • Delegation: The server process can impersonate the client's security context on remote systems.
  • Impersonation: The server process can impersonate the client's security context on its local system. The server cannot impersonate the client on remote systems.

This looks good when applied to the typical example of a user connection to an Asp.Net application using impersonation and then failing in the second hop when that page tries to connect to a Shared Folder or SqlServer with Windows Authentication.
But my problem with this comes from something that I've done on several times and works like a charm. Let's say I have a Windows Application running on my PC and need to connect to a remote SqlServer DataBase using Windows Authentication. The Windows user running the application has no permissions on that DataBase, so I will impersonate the current thread to an account with access to the DB and open the SqlConnection from this impersonated thread. It works fine, and I do it using the typical code that you can find for example in this example.

Based on the previous explanation on Delegation/Impersonation, the explanation for this to work would be that that this call: WindowsIdentity.Impersonate would be returning an Impersonation token with ImpersonationLevel set to Delegation rather than to Impersonation, but I've checked it (this value: WindowsIdentity.GetCurrent().ImpersonationLevel.ToString()), and the Impersonation Level is Impersonation.

So, how is it that is it that I'm being allowed to access to a remote resource like a remote SqlServer DB or a Shared Folder? This seems to contradict the definition given above. Well, the thing is that such definition was misleading to say the least. You'll find a much better explanation here

.
  • Impersonate: The service can impersonate the client. If the service is on the same computer as the client process, it can access network resources as the client. If the service is on a remote computer, it can impersonate the client only when accessing resources on the service’s computer.
  • Delegate: The service can impersonate the client not only when it accesses resources on the service’s computer but also when it accesses resources on other computers. This level is supported only in Windows 2000 and later versions of the Windows operating system.

Well, putting aside that client/service nomenclature that I think helps quite little here, this makes more sense, but there's still something more to explain. In the end we'll have a thread running with an impersonation token trying to access resources, so how does that "If the service is on the same computer as the client process" really apply to the information contained in that token?

Well, in the same article we'll find a table with the Physical Structure of an Access Token. We can see there that there is a field called Origin.

Origin: Introduced with Windows Server 2003. If the token resulted from a logon using explicit credentials, then the token will contain the ID of the logon session that created it. If the token resulted from network authentication, then this value will be zero.

So in the end my understanding is that the access to a resource from an impersonated thread is granted depending on the Impersonation Level and the Origin.

Sunday, 15 February 2015

Chapelle des Carmelites

It's really great when you think you know one place up and down and suddenly you come across a nice spot you had not even heard about.

It happened to me a couple of weeks ago here in Toulouse when in one of my long weekend strolls (quite unrelated to me, but did you know that some of the greatest thinkers in history absolutely loved to indulge themselves in very long walks?) I stumpled upon the Carmelites Chapel. It's in one street (rue de Périgord) connecting other 2 (Taur and Réemusat) that I've walked over in countless occasions, but I had never taken this connecting route.

Though the outside is simple and not particularly appealing, I've learnt that as with people it's sometimes good to take the time to look in the inside, and this time it was well worth. I found there an impressively decorated space. Beautiful paintings on the walls, with those in the space between windows depicting the virtues for a female (in the Christian tradition) and above you, some of the most beautiful painted ceilings that I've ever seen. I think the place is quite underrated, as apart from the French Wikipedia article, you'll find very little information about it (for example it does not show up in the main free tourist guides handed out by the Toulouse city council). Inside the building though, you'll find a rather useful paper sheet with information about the place.



In this same street you'll find a nice public library, Bibliothèque d’étude et du patrimoine that is well worth a visit. I quite like the female sculptures outside representing literature, and the main door, and inside you'll find a nice stained glass piece, a beautiful dome and a "place of knowledge" feeling.

Last week I bought this nice book with panoramique pictures of Toulouse, you can find them here.

Sunday, 8 February 2015

Guts Pie Earshot

Guts Pie Earshot has been around for more than 20 years now, and I'm pretty sure that some of my friends have been listening to them since their beginnings, but at that time I was only into fast, screaming and aggressive music, and I never paid them any attention. Last May I was lucky to see them live with one of their other projects, Outsourced Underground, where the excellent German rapper Lena Stoehrfaktor(along with Tapete) sing over their melodies. It's a beautiful and necessary project of Political Rap/Something (they define it as RapCore), and their demo is one of the sounds that has been more present in my players for the last months. However, 2014 was a really busy year for me (so much work combined with trying to leverage the many possibilities that living in a city like Toulouse gives you on a personal level), so never found the time to dig into Guts Pie Earshot.

This week I've finally done it and well, their sound is fascinating, mesmerizing and unique. Their music has evolved from album to album and changes from song to song, but some of them are so melancholic, powerful and beautiful that is difficult to find words to make them justice. Basically we could say that right now these are 2 punks playing celo and drums, but there's so much more to such poor description... Different distortions are applied to the cello, drums move from conventional to electronic ones, and in the past they had additional members playing bass, keyboards/samples and singing (with such a beautiful voice). Don't worry, the lack of those members has not done the ensuing releases less powerful or authentic, they keep the same masterful signature that blends sadness and joy, light and darkness, beauty and beauty.

When the band turned 20 they decided to make available all their releases for download. You can also find 2 of them in bandcamp (which I pretty like it, I feel like paying for their work, more than a payment is like a "many thanks and now let me pay you a coffee or a beer for these moments").

Apart from Outsourced Underground, they've got some some other interesting projects like Dubvasion or Scheng, and no doubt this song by Scheng honoring one deceased Kurdish YPG Freedom Fighter really shocked me.

I'll end up this post with a list of some of my favorite songs:

and I'll copy here the emotive text that they wrote on the occasion of their 20 years:


since 2013 we exist now for 20 years…

What does it mean to us?


1000 concerts...
10 releases….

it is a long long time with many
ups and downs,
we made so many experiences,
we met so many people
we saw so many countries

we met so many
idealistic people becoming boring,
boring people becoming idealistic

we saw so many cool projects built,
we saw so many projects destroyed.

we are really really grateful
to all of you
who keep us alive …