[reprinted from Keith on pluralsight.com]

A null session is how Windows represents an anonymous user. To understand how it is used, imagine the sort of code you have to write in a server to deal with authenticated clients. After authenticating a client using Kerberos, say, your server receives a token for that client that contains group SIDs, and you can use that token to perform access checks against ACL’d resources. For instance, given the client’s token it’s quite easy to check whether that client should be granted write access to a file. We can simply impersonate the client and try to open the file for writing. The operating system will compare the DACL on the file with the client’s token (that we’re impersonating) to make this determination. The administrator can control access to files by editing their ACLs. But what if you also service anonymous requests—that is, those for which you won’t get any token for the client at all? It’s impossible to impersonate a client for whom you don’t have a token.

[Read more →]

So far, my trip has been solid and injury-free. By that, I mean my flight from Moline to Las Vegas went off without a hitch, other than the Ginger Ale a stewardess spilled on me… and, it seems that my trip back will also leave on time. I am sitting in the Las Vegas airport, [...]

[Read more →]