Impersonate (surrogate) for windows protection is not working as expected
Article ID: 281532
Updated On:
Products
Issue/Introduction
Based on documentation ( https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager-server-control/14-1/administrating/endpoint-administration-for-windows/user-impersonation-protection.html ) there is a user mode and a kernel mode.
- SurrogateInterceptionMode regkey is set to 1
- <selang> setoptions list confirms that SURROGATE : Yes
- PAMSC> sr surrogate user.pamtest
(localhost)
Data for SURROGATE 'USER.pamtest'
-----------------------------------------------------------
Defaccess : None
Audit mode : Failure
Owner : nobody (USER)
Create time : 12-Mar-2024 18:48
Update time : 12-Mar-2024 18:48
Updated by :<server>\adminpam (USER)
this should impersonate the user to the one defined
Environment
PAMSC (v14.10.50.37) installed on a Windows 2022 server.
This happens in all seos versions cp3, cp4, cp5
Cause
Trying to impersonate as user pamtest should be blocked by the PAM agent as per the defined rules. Tried the below tests and the command was executed with pastest user in both cases
- start -> run and type cmd.exe, then right click and run as user. Entered pamtet and the password. CMD.exe opened as pamtest. confirmed with whoami
- from cmd.exe executed runas /user:pamtest cmd.exe The cmd was executed and whoami shows user pamtest
Both tests have the windows session opened with adminpam user, so is not working.
Resolution
Impersonate is not supported in Windows, this is due instrumentation is no longer supported since Windows 2012
Feedback
