Access tokens

• Published: 14 Nov 2004

Get a glimpse inside Paul Cooke's e-book "The definitive guide to Windows 2000 security" with this series of book excerpts, courtesy of Realtimepublishers.com. This excerpt is from Chapter 5, "Configuring access control." Click for the book excerpt series or get the full e-book.

Access tokens

The final piece in Windows 2000's access control puzzle is the access token. As I explained earlier, each thread that is launched on your behalf during your logon session receives a copy of your logon session access token. As a result, Windows 2000 can always look at the access token of a thread and know which security principal it's running on behalf of. A Windows 2000 access token consists of the following information:

• User SID -- The SID for the user that is assigned this access token.
• Group SIDs -- The list of SIDs for every security group that contains the user; includes the list of SIDs from the user's SID-History attribute, if present.
• Privileges -- The list of privileges that the user has been granted on the local computer.
• Owner SID -- The SID for the user who becomes the default owner of an object that is either newly created or has been taken ownership of (typically the same as the User SID value).
• Primary Group -- The SID for the user's primary group (remember, it's only used for the POSIX subsystem).
• DACL -- A default set of permissions that Windows 2000 applies to objects that are created by the user if no other access control information is available.
• Source -- The authenticating entity that caused the access token to be created.
• Type -- A flag that indicates whether this access token is a primary access token or an impersonation access token.
• Impersonation Level -- The extent to which a service can assume the security context of a client that is represented by this access token.
• Statistics -- Some statistical information about this access token.
• Restricting SIDs A list of SIDs added to the token to create a restricted token.
• Session ID -- An indication of whether the access token is associated with a Terminal Services user session.

Most of these values make sense, at least until you get to the Type field. The Type, Impersonation Level, and Restricting SIDs fields are all involved in creating impersonation access tokens and restricted access tokens. These are the topics of the next two sections.

Click for the next excerpt in this series: Impersonation

Click for the book excerpt series or get the full e-book.