Get a glimpse inside Paul Cooke's e-book "The definitive guide to Windows 2000 security" with this series of book excerpts, courtesy of Realtimepublishers.com. This excerpt is from Chapter 5, "Configuring access control." Click for the book excerpt series or get the full e-book.
Restricted access tokens
Windows 2000 allows an application to create a child process that has a reduced level of access rights than the current thread has available to it. This functionality allows applications to create restricted security contexts for child processes and impersonation threads that are run in a sort of sandbox environment. It's not a sandbox environment like you find in Java, but it is to the extent that the rights for the running thread/process have been limited during their execution to a level that is less than those afforded to the user. This limited access is accomplished using a restricted access token. A restricted access token can be created in three ways: by removing privileges, by applying a deny-only attribute to the access token's SIDs, or by adding restricting SIDs to the access token.
Restricted access tokens aren't something that you get automatically; they have to be explicitly created for you by an application to reduce the risk that a new process or thread may do something bad. For example, Microsoft's Internet Explorer (IE) 5.5 and higher uses a restricted access token to launch a Web page that is part of your untrusted security zone. This setup allows code from an untrusted Web site to execute with less permission than is assigned to you and reduces the risk that the downloaded Web pages will be successful at doing something malicious to your system. For those of you who are Windows 2000 application developers, I implore you to use this feature whenever you can to limit the access you give each of your application threads.
Click for the next excerpt in this series: Tying it all together
Click for the book excerpt series or get the full e-book.
This was first published in November 2004