Win32 Authorization System

An access token is a kernel object that describes security context of a process or a thread, it stores the identity and privileges of the user account that spawned the process.

The user's SID (security identifier)
The SIDs of the groups that the user belonged to when the user was authenticated
A logon SID which identifies the current logon session
The user's and groups' privileges
An owner SID
The SID for the primary group
The default discretionary access control list (DACL) that is used when the user creates a securable object (without an explicit security descriptor)
The source of the access token
A flag that indicates if the token is a primary or an impersonation token
A list of restricting SIDs (optional)
Current impersonation levels
Other statistics

Token structure are found in winnt.h

typedef struct _TOKEN_ACCESS_INFORMATION {
    PSID_AND_ATTRIBUTES_HASH SidHash;
    PSID_AND_ATTRIBUTES_HASH RestrictedSidHash;
    PTOKEN_PRIVILEGES Privileges;
    LUID AuthenticationId;
    TOKEN_TYPE TokenType;
    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
    TOKEN_MANDATORY_POLICY MandatoryPolicy;
    DWORD Flags;
    DWORD AppContainerNumber;
    PSID PackageSid;
    PSID_AND_ATTRIBUTES_HASH CapabilitiesHash;
    PSID TrustLevelSid;
    PSECURITY_ATTRIBUTES_OPAQUE SecurityAttributes;
} TOKEN_ACCESS_INFORMATION, *PTOKEN_ACCESS_INFORMATION;

The Local Security Authority Database is the part of the user account database that stores account privilege information (account rights) and domain security policy information. When a user logon (via interactive logon or network logo) Local Security Authority Subsystem Service (lsass.exe) creates a logon session and a access token.

A session is a cointaner for user process and threads, when system startup a special session is created, identified a 0 session, which is related to SYSTEM processes and services. Every session runs its own win32k instances in csrss.exe, the first user that logon is assigned with the 1, the next with 2, a so on.

SIDs

They're used to identify uniquely each entity (users, groups, etc), SIDs always start with S-1- , the two following numbers represent the Security Authority

SECURITY_NULL_SID_AUTHORITY

the owner of the null account SID and manages one SID: S-1-0-0.

SECURITY_WORLD_SID_AUTHORITY

everyone group, also has one SID only: S-1-1-0.

SECURITY_LOCAL_SID_AUTHORITY

local group also has one SID only: S-1-2-0.

SECURITY_CREATOR_SID_AUTHORITY

SIDs S-1-3-0 through S-1-3-5

SECURITY_NON_UNIQUE_AUTHORITY

is not used

SECURITY_NT_AUTHORITY

owns accounts that are managed by the NT security subsystem.

SECURITY_RESOURCE_MANAGER_AUTHORITY

…

SECURITY_MANDATORY_LABEL_AUTHORITY

see process integrity levels

The following numbers, if present, are subauthority idientifiers.The last subauthority identifier is a relative identifier (RID).

The subauthority identifiers except the relative identifier identify a domain.

The RID is the last value in the sequence of subauthority identifiers. It is used to distinguish one account or group within a domain from one another.Some given RIDs are

500 - An administrator (Compare with S-1-5-32-544)
513 - Domains Users, a global group that includes all user accounts in the domain.

RID determine which security boundaries the SID is allowed to cross. Before adding new RIDs, a determination needs to be made regarding which range they should be added to in order to ensure proper SID filtering

The SIDs of user accounts always start with S-1-5-21-… and has an RID that is greater or equal to 1000.These SIDs are found in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-SID

Capability SIDs

A capability SID grants access to a specific resource. Such resources include documents, cameras, locations etc. In order for an application to access a given resource, it needs to have the associated capability SID, otherwise, the access is denied. Capability SIDs start with S-1-15-3-… Capability SIDs that the system is aware of are stored in the Registry value AllCachedCapabilities under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses

Logon Session

When a user is succesfully authenticated, the authenticator creates a logon session and returns that information to the Local Security Authority, apart of creating an access token for the user, it also creates a UID for the session called Logon ID.

The access token structure holds the LUID for the session in its AuthenticationId property.

The logon session also stores a reference counter, whenever an access token is copied (by process creation or impersonation), related to a particular session the reference counter is incremented, when an access token is deleted, the counter decrements equally, at zero the session is deleted.

Types of Access Tokens

Prinary Token
Impersonation Token

Every process executed by an user has a copy of his access token, this is a primary access token.

Access Token information is request every time a thread tries to access a securable object, this way a thread can use an impersonation token, that will allow the thread to act in behalf of another logon session, every thread impersonating a client has both a primary token and a imeprsonation token.

An existing token (primary or impersonation) can be duplicated into either a primary or and impersonation token with the Win32 API function DuplicateTokenEx

A named pipe server can impersonate any client that connects to its named pipe, when SeImpersonatePrivilege is enabled. This is what the windows api ImpersonateNamedPipeClient is for.

BOOL EnableWindowsPrivilege(WCHAR* Privilege)
{
	/* Tries to enable privilege if it is present to the Permissions set. */
	LUID luid = {};
	TOKEN_PRIVILEGES tp;
	HANDLE currentProcess = GetCurrentProcess();
	HANDLE currentToken = {};
	tp.PrivilegeCount = 1;
	tp.Privileges[0].Luid = luid;
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE;
	if (!OpenProcessToken(currentProcess, TOKEN_ALL_ACCESS, &currentToken)) return FALSE;
	if (!AdjustTokenPrivileges(currentToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL)) return FALSE;
	return TRUE;
}

BOOL CheckWindowsPrivilege(WCHAR *Privilege)
{
	/* Checks for Privilege and returns True or False. */
	LUID luid; 
	PRIVILEGE_SET privs;
	HANDLE hProcess;
	HANDLE hToken;
	hProcess = GetCurrentProcess();
	if (!OpenProcessToken(hProcess, TOKEN_QUERY, &hToken)) return FALSE;
	if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE;
	privs.PrivilegeCount = 1;
	privs.Control = PRIVILEGE_SET_ALL_NECESSARY;
	privs.Privilege[0].Luid = luid;
	privs.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED;
	BOOL bResult;
	PrivilegeCheck(hToken, &privs, &bResult);
	return bResult;
}

PreviousStructured Exception Handlers Next.NET CLR process internals

Last updated 7 months ago

Was this helpful?