Determining Access Based on an Administrator SID

A small number of applications I ve reviewed contain code that allows access to a protected resource or some protected code, based on there being an Administrator Security ID (SID) in the user s token. The following code is an example. It acquires the user s token and searches for the Administrator SID in the token. If the SID is in the token, the user must be an administrator, right?

PSID GetAdminSID() { BOOL fSIDCreated = FALSE; SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; PSID Admins; fSIDCreated = AllocateAndInitializeSid( &NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &Admins); return fSIDCreated ? Admins : NULL; } BOOL fIsAnAdmin = FALSE; PSID sidAdmin = GetAdminSID(); if (!sidAdmin) return; if (GetTokenInformation(hToken, TokenGroups, ptokgrp, dwInfoSize, &dwInfoSize)) { for (int i = 0; i < ptokgrp->GroupCount; i++) { if (EqualSid(ptokgrp->Groups[i].Sid, sidAdmin)){ fIsAnAdmin = TRUE; break; } } } if (sidAdmin) FreeSid(sidAdmin);

This code is insecure on Windows 2000 and later, owing to the nature of restricted tokens. When a restricted token is in effect, any SID can be used for deny-only access, including the Administrator SID. This means that the previous code will return TRUE whether or not the user is an administrator, simply because the Administrator SID is included for deny-only access. Take a look at Chapter 5, Running with Least Privilege, for more information regarding restricted tokens. Just a little more checking will return accurate results:

 for (int i = 0; i < ptokgrp->GroupCount; i++) { if (EqualSid(ptokgrp->Groups[i].Sid, sidAdmin) && (ptokgrp->Groups[I].Attributes & SE_GROUP_ENABLED)){ fIsAnAdmin = TRUE; break; } }

Although this code is better, the only acceptable way to make such a determination is by calling CheckTokenMembership in Windows 2000 and later. That said, if the object can be secured using ACLs, allow the operating system, not your code, to perform the access check.