Access tokens

Get a glimpse inside Paul Cooke's e-book "The definitive guide to Windows 2000 security" with this series of book excerpts, courtesy of Realtimepublishers.com. This excerpt is from Chapter 5, "Configuring access control." Click for the book excerpt series or get the full e-book.

Download this free guide

Download: Buyer's Guide to Windows Server 2016 in 2017

You may be due for an upgrade! Check out our full Windows Server 2016 Buyer's Guide to see if a switch to the new server would be the best move for your organization.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Access tokens

The final piece in Windows 2000's access control puzzle is the access token. As I explained earlier, each thread that is launched on your behalf during your logon session receives a copy of your logon session access token. As a result, Windows 2000 can always look at the access token of a thread and know which security principal it's running on behalf of. A Windows 2000 access token consists of the following information:

• User SID -- The SID for the user that is assigned this access token.
• Group SIDs -- The list of SIDs for every security group that contains the user; includes the list of SIDs from the user's SID-History attribute, if present.
• Privileges -- The list of privileges that the user has been granted on the local computer.
• Owner SID -- The SID for the user who becomes the default owner of an object that is either newly created or has been taken ownership of (typically the same as the User SID value).
• Primary Group -- The SID for the user's primary group (remember, it's only used for the POSIX subsystem).
• DACL -- A default set of permissions that Windows 2000 applies to objects that are created by the user if no other access control information is available.
• Source -- The authenticating entity that caused the access token to be created.
• Type -- A flag that indicates whether this access token is a primary access token or an impersonation access token.
• Impersonation Level -- The extent to which a service can assume the security context of a client that is represented by this access token.
• Statistics -- Some statistical information about this access token.
• Restricting SIDs A list of SIDs added to the token to create a restricted token.
• Session ID -- An indication of whether the access token is associated with a Terminal Services user session.

Most of these values make sense, at least until you get to the Type field. The Type, Impersonation Level, and Restricting SIDs fields are all involved in creating impersonation access tokens and restricted access tokens. These are the topics of the next two sections.

Click for the next excerpt in this series: Impersonation

Click for the book excerpt series or get the full e-book.