Be Wary of the Terminal Server and Remote Desktop SIDs

Windows offers the well-known Terminal Server and Remote Desktop Users SIDs that are present in a user's token if they log on using Terminal Server (Windows 2000 Server) or the Remote Desktop (Windows XP and later). Because the SID is in the user's token, you can use it to control access to resources by creating an ACL such as this:

Administrators (Full Control)
Remote Desktop Users (Read)
Interactive Users (Read, Write)

Be aware that the user's token may not include the Remote Desktop Users SID if the user was previously interactively logged on at the computer. Let me explain by way of a scenario:

Madison logs on to her computer at work and performs her normal tasks. Her token includes the Interactive User SID because she is physically logged on at the computer.
She locks the workstation and goes home for the evening.
From home, she decides to connect to the work computer by using the Remote Desktop feature of Windows XP through a VPN.
When she connects to the computer, the work computer logs her on, creating a new token in the process that includes the Remote Desktop Users token. The software then realizes Madison is already logged on and has an active session, so to preserve the state of the desktop as she left it, the Terminal Server code throws the new token away and piggybacks the existing interactive session.

At this point, as far as the operating system is concerned, Madison is an interactive user.

As an interactive user, Madison has read and write access to the object, rather than just read access. This is not as bad as it sounds because she has read and write access anyway when she is logged on physically at the computer. Also, in instances where the computer is accessible only remotely, she will never have an interactive session.

Of course, the cynics among you will say that Madison is probably an administrator on her own computer anyway, so why bother with other SIDs in the token!

The lesson here is be aware of this issue when building ACLs.