Access Token Basics
Access tokens determine a user's privileges and rights when a process is interacting with the system or a resource.
An access token is a data structure in the Windows operating system that contains information about a user or a security context. It represents the user's identity and privileges, including their security identifiers (SIDs), group memberships, and specific access rights. Access tokens are used by the operating system to control and enforce security policies, determining what actions and resources a user or process can access.
By default, each process has a primary access token associated with it. This represents the user context under which the process is "running". The token is created when a user logs in or when a process is created, and it contains information about the user's identity and privileges.
In certain scenarios, a process can create an impersonation access token to temporarily adopt the security context of another user or security principal within one of it's threads. This token allows the process to perform actions on behalf of that user or principal with their respective privileges.
It's important to note that impersonation tokens do not change the primary access token of the process. They only affect the specific threads that have been assigned the impersonation tokens, allowing those threads to act with the privileges of the impersonated user or principal while preserving the primary identity and privileges of the process.
Without impersonation tokens a thread will run in the security context of the primary access token.
The main contents of a token in Windows include:
User SID (Security Identifier): It uniquely identifies the user account associated with the token.
User's group SIDs: SIDs representing the security groups to which the user belongs.
Privileges: The privileges associated with the user or security principal represented by the token. Privileges determine the actions that the user or principal is allowed to perform.
Authentication ID: A unique identifier that identifies the logon session associated with the token.
Token type: Specifies whether the token is a primary token or an impersonation token.
Integrity level: Indicates the level of integrity assigned to the token, which determines the level of trust and access rights the token has.
Token source: Identifies the source or authority that issued the token.
Logon session ID: A unique identifier for the logon session associated with the token.
Security Descriptor
An access token plays a crucial role in granting or denying access to securable objects within an operating system or a network environment. It serves as a form of digital identity that contains information about the user or process requesting access.
When a user or process attempts to access a securable object, such as a file, folder, or system resource, the access token is presented to the security subsystem for evaluation. The security subsystem checks the access rights and permissions associated with the access token against the access control lists (ACLs) of the securable object. Based on this evaluation, the access token determines whether the requested access should be granted or denied, ensuring the enforcement of security policies and protecting sensitive resources.
The access control lists (ACLs) are part of the associated security descriptor. A security descriptor is a data structure that contains information about the security attributes of a securable object, such as a file or directory.
It includes the owner of the object, the primary group associated with the object, and the discretionary access control list (DACL) and system access control list (SACL). The DACL within the security descriptor specifies the access control entries (ACEs) that define the permissions and access rights granted or denied to different users or groups.
When evaluating access requests, the access token's information is compared against the security descriptor's ACLs to determine whether access should be allowed or denied.
Active Directory
An access token in Windows can contain information related to Active Directory. When a user logs in to a domain-joined machine, the access token generated for that user typically includes a security identifier (SID) that represents the user's account in the Active Directory domain.
The access token may also include additional information such as group membership information, which can indicate the user's membership in specific Active Directory security groups. This information is important for determining the user's authorisation and access rights within the domain environment.
By including Active Directory-related information in the access token, the operating system can enforce security policies, permissions, and access control based on the user's identity and group membership in the Active Directory domain. This allows for centralised management and control of user accounts and permissions across the network.
In the next section we will look at an important technique used in privilege escalation exploitation; token theft.
Last updated
