There is a Windows Service being created to ensure GPII is started at login, and continues to run. For the purpose of GPII-2338, it needs to be running as LocalSystem (part of the OS, higher than Administrator) in order to start GPII as the user who is logging on.
It can also provide a way to perform certain tasks on behalf of the GPII process, such as storing secrets (
GPII-2237) or functionality requiring a higher privilege than the current user.
To prevent privilege escalation, there needs to be a mechanism that ensures only the GPII process is making these requests.
The following factors make this tricky:
- The GPII process is running as the current user; a rogue process will have the same privileges.
- The Windows Service outside the session/context of the logged on user. This limits the available IPC methods.
- The actual process interacting with the service may be different to the one started by the service.
TL-DR: The final answer is in this comment