问题
My application uses a Named Pipe to do IPC. What access control should I place on it, to provide broad local only access?
The pipe is created by the .net 2.0 remoting protocol, and it already has an ACL for the 'NETWORK' group to deny all access, so I think only local users can access it. In my remoting configuration file I need to pick an 'authorizedGroup' who can access this pipe.
I would like any process running on the local machine to access my named pipe.
I would appear to need to select between access for the 'Everyone' Group or the 'Authenticated Users' group. Given the local-only access, what processes might be running under the 'Everyone' group that are not in the 'Authenticated Users' group?
I'm interested in answers for Windows XP and above.
回答1:
"Everyone" is a collective group for "Authenticated Users" and "Guest". Note that for Win 2000 and earlier, it included "Anonymous" too where no checks are made
"Authenticated Users" is user who has logged into AD and has a login token.
My text is paraphrasing of Windows Server 2003 "Security identifiers".
Edit, "Network" from the link:
Includes all users who are logged on through a network connection. Access tokens for interactive users do not contain the Network SID.
To be honest, I've never thought about this one much... sorry.
来源:https://stackoverflow.com/questions/1040353/on-windows-who-is-in-the-everyone-and-authenticated-users-groups