The Token

Posted by The Beyand | 3:48 AM | 0 comments »

The token contains a list of all of the SIDs associated with the user account, including t
accounts SID, and the SIDs of all groups and special identities of which the user accou
is a member (for example, Domain Admins or INTERACTIVE). You can use a tool li
whoami (included by default beginning with Windows Server 2003) to discover wh
SIDs are associated with a logon session, as shown next (many lines have been truncate
due to page width constraints):
C:\>whoami /user /groups
USER INFORMATION
----------------
User Name SID
==================== =========================================
vegas2\jsmith S-1-5-21-1527495281-1310999511-3141325392-500
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
===============================================================
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544
Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0
Mandatory group, Enabled by default, Enabled group
VEGAS2\Group Policy Creator Owners Group S-1-5-21-[cut]-520
Mandatory group, Enabled by default, Enabled group
VEGAS2\Domain Admins Group S-1-5-21-[cut]-512
Mandatory group, Enabled by default, Enabled group
VEGAS2\Schema Admins Group S-1-5-21-[cut]-518
Mandatory group, Enabled by default, Enabled group
VEGAS2\Enterprise Admins Group S-1-5-21-[cut]-519
Mandatory group, Enabled by default, Enabled group
This example shows that the current process is run in the context of user jsmith, who is
member of Administrators and Authenticated Users and also belongs to the speci
identities Everyone, LOCAL, and INTERACTIVE.
When jsmith attempts to access a resource, such as a file, the Windows securit
subsystem compares his token to the DACL on the object, which specifies SIDs that ar
permitted to access the object and includes the ways it may be accessed (such as rea
write, execute, and so on). If one of the SIDs in jsmiths token matches a SID in the DAC
then jsmith is granted access as specified in the DACL. This process is diagrammed i
Figure 2-2.

0 comments

Post a Comment

Subscribe to: Post Comments (Atom)