fix: change windows logon type from NETWORK to INTERACTIVE (#234)

Problem: Some applications have security controls that restrict what a network logon user can do, but do not have such restrictions for interactive logons. Solution: Change the win32 logon kind from NETWORK to INTERACTIVE. NETWORK was oridinally chosen as it was believed that it was required for the logon to have access to network shares, but INTERACTIVE grants the same access so this should be a safe change. Signed-off-by: Daniel Neilson <53624638+ddneilson@users.noreply.github.com>
aws-deadline · Mar 21, 2024 · 82a5c11 · 82a5c11
1 parent 7ce01a8
commit 82a5c11
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 4 deletions.
diff --git a/src/deadline_worker_agent/installer/win_installer.py b/src/deadline_worker_agent/installer/win_installer.py
@@ -200,7 +200,7 @@ def ensure_user_profile_exists(username: str, password: str):
         # https://timgolden.me.uk/pywin32-docs/win32security__LogonUser_meth.html
         logon_token = win32security.LogonUser(
             Username=username,
-            LogonType=win32security.LOGON32_LOGON_NETWORK_CLEARTEXT,
+            LogonType=win32security.LOGON32_LOGON_INTERACTIVE,
             LogonProvider=win32security.LOGON32_PROVIDER_DEFAULT,
             Password=password,
             Domain=None,

diff --git a/src/deadline_worker_agent/windows/win_credentials_resolver.py b/src/deadline_worker_agent/windows/win_credentials_resolver.py
@@ -21,7 +21,7 @@
 from pywintypes import HANDLE as PyHANDLE
 from win32security import (
     LogonUser,
-    LOGON32_LOGON_NETWORK_CLEARTEXT,
+    LOGON32_LOGON_INTERACTIVE,
     LOGON32_PROVIDER_DEFAULT,
 )
 from win32profile import LoadUserProfile, PI_NOUI, UnloadUserProfile
@@ -214,7 +214,7 @@ def get_windows_session_user(self, user: str, passwordArn: str) -> WindowsSessio
                             # https://timgolden.me.uk/pywin32-docs/win32profile__LoadUserProfile_meth.html
                             logon_token = LogonUser(
                                 Username=user,
-                                LogonType=LOGON32_LOGON_NETWORK_CLEARTEXT,
+                                LogonType=LOGON32_LOGON_INTERACTIVE,
                                 LogonProvider=LOGON32_PROVIDER_DEFAULT,
                                 Password=password,
                                 Domain=None,

diff --git a/test/unit/install/test_windows_installer.py b/test/unit/install/test_windows_installer.py
@@ -238,7 +238,7 @@ def test_loads_user_profile(
         # THEN
         mock_LogonUser.assert_called_once_with(
             Username=username,
-            LogonType=win32security.LOGON32_LOGON_NETWORK_CLEARTEXT,
+            LogonType=win32security.LOGON32_LOGON_INTERACTIVE,
             LogonProvider=win32security.LOGON32_PROVIDER_DEFAULT,
             Password=password,
             Domain=None,