> Anything that uses Windows Authentication requires additional > privileges to impersonate users. Like IIS: it may change its > credentials to some other user, but the initial parsing of > the request line is done under highly privileged account.
Yes, that's absolutely correct of course. In a typical web application environment, only IIS needs to perform impersonation, though. Windows Server 2003 has made some good progress in divorcing the privilege to impersonate users from other privileges, so you can run IIS 6 with a less-privileged user account/security context such as the Network Service or Local Service security contexts. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:240031 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
