以编程方式发现“仅限来宾”共享/安全模型

发布于 2024-08-19 02:37:03 字数 556 浏览 8 评论 0原文

在现代 Windows 上,默认配置是这样完成的:如果我以本地用户身份进行网络登录,实际上我只能以访客身份进行身份验证(有关此行为的更多详细信息请参见 http://technet.microsoft.com/en-us/library/cc786449(WS.10) .aspx

当我的程序尝试通过 DCOM 访问此类服务器上的 WMI 时,我只是收到“访问被拒绝”错误,大概是因为不允许来宾用户连接到 WMI。

我想将此错误与其他类型的访问被拒绝错误(例如错误的密码或不存在的用户名)区分开来,以便我可以向用户解释他们需要什么来解决问题。

所以我的问题是,我该怎么做才能检测到这样的服务器。我在想,如果有一些 COM 组件可以由来宾激活,那就可以了 --- 我可以尝试激活这样的组件,如果有效,我就知道我的登录凭据是正确的。但我想不出任何这样的具体组成部分。

有谁知道这样的组件吗?或者还有其他方法可以诊断这种情况吗?

On Modern Windows, the default configuration is done in such a way that if I network-login as a local user, I actually only get authenticated as a guest (more details about this behavior is explained in http://technet.microsoft.com/en-us/library/cc786449(WS.10).aspx)

When my program tries to access WMI on this kind of servers via DCOM, I simply get "Access Denied" error, presumably because a guest user isn't allowed to connect to WMI.

I'd like to differentiate this error from other kinds of access denied errors, such as a wrong password or non-existent user name, so that I can explain to the user what they need to fix the problem.

So my question is, what can I do to detect such a server. I'm thinking that if there's some COM components that can be activated by a guest, that would do --- I can try to activate such a component, and if that works, I know that my login credential was correct. But I can't think of any such concrete component.

Does anyone know such a component? Or any other ways of diagnosing this situation?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

梦在夏天 2024-08-26 02:37:03

不,我不记得有一个可供访客访问的 DCOM 服务器。这样会不会不安全?
如果您有时间,您可以使用 dcomcnfg 检查 DCOM 服务器的所有安全设置。也许有客人。但我不这么认为。

另一边。您无法在客户端看到 AccessDenied 背后的原因,因为这会使服务器更容易受到攻击。如果攻击者能够区分不同类型的访问被拒绝错误,他可能能够相应地调整他的操作。
但是,如果您有权访问服务器,则可以激活 DCOM 日志记录(请参阅 http://support.microsoft.com/?scid=kb%3Ben-us%3B892500&x=18&y=11

作为解决方案,我建议您编写这样的以及类似的问题以及它们如何发生在常见问题解答/自述文件/网页中。人们倾向于搜索网络而不是阅读消息框。

No, I cannot recall that there is a DCOM server that can be accessed by a guest. Wouldn't that be unsafe?
If you have time you can check all security settings of DCOM servers using dcomcnfg. Maybe there is a guest. But I don't think so.

On the other side. You cannot see the reason behind AccessDenied on the client side because that would make the server more vulnerable. If an attacker could distinguish between different kinds of access denied errors, he probably would be able to adapt his actions accordingly.
But if you have access to the server you can activate DCOM logging (see http://support.microsoft.com/?scid=kb%3Ben-us%3B892500&x=18&y=11)

As a solution, I suggest that you write such a and similar problems and how they happen into a FAQ/Readme/Webpage. People tend to rather search the web than read a message box.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文