How Tokens, Privileges, SIDs, ACLs, and Processes Relate

Previous page
Table of content
Next page

How Tokens, Privileges, SIDs, ACLs, and Processes Relate

All processes in Windows NT, Windows 2000, and Windows XP run with some identity; in other words, a token is associated with the process. Normally, the process runs as the identity of the user who started the application. However, applications can be started as other user accounts through use of the CreateProcessAsUser function by a user who has the appropriate privileges. Typically, the process that calls the CreateProcessAsUser function must have the SeAssignPrimaryTokenPrivilege and SeIncreaseQuotaPrivilege privileges. However, if the token passed as the first argument is a restricted version of the caller's primary token, the SeAssignPrimaryTokenPrivilege privilege is not required.

Another type of process, a service, runs with the identity defined in the Service Control Manager (SCM). By default, many services run as the local system account, but this can be configured to run as another account by entering the name and password for the account into the SCM, as shown in Figure 7-1.

figure 7-1 setting a service to run as a specified account in scm.

Figure 7-1. Setting a service to run as a specified account in SCM.

More Info
Passwords used to start services are stored as LSA secrets. Refer to Chapter 9 for more information about LSA secrets.

Because the process has an account's token associated with it and therefore has all the user's group memberships and privileges, it can be thought of as a proxy for the account anything the account can do, the process can do. This is true unless the token is neutered in some way on Windows 2000 and later by using the restricted token capability.

SIDs and Access Checks, Privileges and Privilege Checks

A token contains SIDs and privileges. The SIDs in a token are used to perform access checks against ACLs on resources, and the privileges in the token are used to perform specific machine-wide tasks. When I ask developers why they need to run their processes with elevated privileges, they usually comment, We need to read and write to a portion of the registry. Little do they realize that this is actually an access check it's not a use of privileges! So why run with all those dangerous privileges enabled? Sometimes I hear, Well, you have to run as administrator to run our backup tool. Backup is a privilege it is not an ACL check.

If this section of the chapter hasn't sunk in, please reread it. It's vitally important that you understand the relationship between SIDs and privileges and how they differ.


Previous page
Table of content
Next page
Writing Secure Code
Writing Secure Code, Second Edition
ISBN: 0735617228
EAN: 2147483647
Year: 2001
Pages: 286
Authors: Michael Howard, David LeBlanc
BUY ON AMAZON
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
A Practitioners Guide to Software Test Design
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
The Java Tutorial: A Short Course on the Basics, 4th Edition
802.11 Wireless Networks: The Definitive Guide, Second Edition
Cultural Imperative: Global Trends in the 21st Century
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy