Tokens
When a user logs on to a computer running Windows 2000 and the account is authenticated, a token is created for that user, and this token is applied to every process and thread within each process that the user starts up. The token contains the information in Table 3-4.
Table 3-4. The contents of a Windows 2000 token.
| Field | Comments |
|---|---|
| User SID | The user's security identifier, or SID. |
| Group SIDs | The list of SIDs of all the groups of which the user is a member. In Windows 2000, group membership in a token is flattened. In other words, if the account is a member of group A, which in turn is a member of group B, the token will contain SIDs for A and B, not just A. |
| Privileges | The list of privileges the user has on this computer. |
| Owner SID | The SID of the user or group who, by default, is the owner of any object that the user either creates or takes ownership of. This is usually the same as the user SID, except in the case of an administrator, in which case it is the administrator's group SID. |
| Primary group | This is not used by any part of Windows 2000 but the POSIX subsystem. |
| Default access control list | A list of permissions that Windows 2000 applies to objects created by the user if no other access control information is available. By default, it grants full control to creator/owner, and system. |
| Source | An 8-byte string that identifies the process that created the token. |
| Type | One of two types: either a primary token or an impersonation token. A primary token is the token associated with the process and is the default token for each thread in the process. The token associated with a thread becomes an impersonation thread when a thread calls an impersonation function, such as ImpersonateLoggedOnUser or RpcImpersonateClient. |
| Impersonation level | Governs the degree to which a server process can act on behalf of a client. The levels are as follows: Anonymous The server process cannot obtain identification information about the client, and it cannot impersonate the client. Identification The server process can obtain information about the client, such as security identifiers and privileges, but it cannot impersonate the client. Impersonation The server process can impersonate the client's security context on its local system. The server cannot impersonate the client on remote systems. Delegation The server process can impersonate the client's security context on local and remote systems. |
| Statistics | Information about the token, usually used only by the operating system. |
| Restricted SIDs | The token is often referred to as a restricted token if this optional field is not empty. When a thread tries to access a secured object, the system performs two access checks: one using the token's enabled SIDs and another using the list of restricting SIDs. Access is granted only if both access checks allow the requested access rights. Restricted SIDs are new to Windows 2000 and can be created using the CreateRestrictedToken API. This function will also allow you to remove privileges from the token. |
| Session ID | Only applicable for a session created by Terminal Server, this is a unique nonzero numeric value for each connected client. |
You can look at some of the critical data in your own token by using the WhoAmI.exe tool included with the Windows 2000 Resource Guide. Below is some sample output:
C:\WINNT>whoami /all [User] = "DEV\Cheryl" S-1-5-21-392915311-626881126-188441333-1191 [Group 1] = "DEV\Domain Users" S-1-5-21-392915311-626881126-188441333-513 [Group 2] = "Everyone" S-1-1-0 [Group 3] = "BUILTIN\Power Users" S-1-5-32-547 [Group 4] = "BUILTIN\Users" S-1-5-32-545 [Group 5] = "LOCAL" S-1-2-0 [Group 6] = "NT AUTHORITY\INTERACTIVE" S-1-5-4 [Group 7] = "NT AUTHORITY\Authenticated Users" S-1-5-11 [Login ID] = S-1-5-5-0-6553 (X) SeChangeNotifyPrivilege = Bypass traverse checking (O) SeSystemtimePrivilege = Change the system time (O) SeShutdownPrivilege = Shut down the system (O) SeProfileSingleProcessPrivilege = Profile single process (X) SeUndockPrivilege = Remove computer from docking station |
This output tells you that
- Cheryl logged on interactively. (She is a member of the Interactive group.)
- She is a member of the Everyone, Authenticated Users, Domain Users, Users, and Power Users groups.
- Her account was the 1191st account created in this domain. (Look at the last subauthority in the user SID.)
- Her logon identifier is 6553.
- She has a number of privileges, but only Bypass Traverse Checking and Remove Computer From Docking Station are currently enabled.
To fully understand the content of the token, cross-reference the SIDs defined above with the SIDs detailed in Appendix A.
EAN: N/A
Pages: 138