My understanding of token kidnapping has changed since the release of MS09-012. I now understand that incognito really just implements token /impersonation/, not token /kidnapping/. As you mentioned, SYSTEM -> arbitrary_user token impersonation is expected behavior.

I’m not clear on whether the user account option ‘account is sensitive and cannot be delegated’ in Active Directory is of any use in protecting against SYSTEM -> domain user impersonation, or, similarly if the computer account option ‘Trust computer for delegation’ is part of the issue.

The wording here: http://technet.microsoft.com/en-us/library/cc961980.aspx — says this:

When you trust a computer for delegation, you enable delegation for all services that run under the Local System account on the computer. If an unwary administrator installs an untrusted service on the computer and configures it to run as Local System, it too can access network resources while impersonating other users. A better practice is to configure services that use delegation to run under their own domain user accounts managed by domain administrators.

Ideas? I think I just need dig a little deeper into the windows security model and understand impersonation better.

incognito takes you from SYSTEM to another token.

but that’s just from reading the unclear advisories.