What Is an Access Token?
Access tokens (Access Tokens) is a concept of Windows operating system security. When a user logs in, the system creates an access token that contains the SID returned by the login process and a list of privileges assigned to the user and the user's security group by the local security policy. All processes running as the user own a copy of the token. The system uses tokens to control which secure objects a user can access and to control the user's ability to perform related system operations.
- Chinese name
- Access token
- Foreign name
- Access Tokens
- Application area
- Windows operating system
- Features
- system security
- Access tokens (Access Tokens) is a concept of Windows operating system security. When a user logs in, the system creates an access token that contains the SID returned by the login process and a list of privileges assigned to the user and the user's security group by the local security policy. All processes running as the user own a copy of the token. The system uses tokens to control which secure objects a user can access and to control the user's ability to perform related system operations.
Access token classification
- There are two types of tokens: the main token and the impersonation token. A master token is a default access token created by the windows kernel and assigned to a process. Each process has a master token that describes the security context of the user account associated with the current process. At the same time, a thread can impersonate a client account, allowing this thread to use the client's security context when interacting with a secure object. A thread that is impersonating a client has a master token and an impersonation token.
How access tokens work
Access token master token
- An access token contains a complete description of the security context of a process or thread, which contains the following information. [1]
- User. SID of the user account. If the user logs in to an account on the local computer, his SID comes from the account database maintained by the local SAM; if the user logs in to a domain account, his SID comes from the Object-SID attribute of the user object in Active Directory.
- Groups. Contains the SID list of the user's security group. The table also contains the SID in the SID-History attribute of the user object representing the user account in Active Directory.
- Privileges. A list of privileges that users and users' security groups have on the local computer.
- Owner. The SID of a specific user or security group who by default becomes the owner of any objects created or owned by the user.
- Primary Group. The SID of the user's primary security group. This information is used only by the POSIX subsystem and is ignored by other parts of Windows 2000.
- Default arbitrary access control list (Default Discretionary Access Control List, DACL). A set of built-in permissions. The operating system acts on objects created by the user when no other access control information is present. The default DACL grants Full Control permissions to the creation owner and the system.
- Source. The process that caused the access token to be created, such as a session manager, a LAN manager, or a remote procedure call (RPC) server.
- Type. Indicates whether the access token is a primary or impersonation token. The main token represents the security context of a process; the impersonation token is a thread in the service process that is used to temporarily accept a token of a different security context, such as the security context of a client of a service.
- Impersonation Level. Indicates the service's acceptance of the security context of the customer represented by the access token.
- Statistics. Information about the access token itself. The operating system uses this information internally.
- Restricting SID. An optional SID list added to the access token by a process authorized to create restricted tokens. Restricting SIDs can restrict access to threads below the level allowed by the user.
- Session ID. Indicates whether the access token is related to a Terminal Services client session.
Access token impersonation token
- A thread can execute in a different security context than the context of the process that owns it. This ability is called impersonation, and it is designed to meet the security needs of client / server applications. When run in the context of a client's security, the service "is" the client to some extent. A thread of the service uses an access token on behalf of the client to access objects that the client has access to.
- The main reason for the impersonation is to perform an access check based on the customer's identity. Access checks using a customer ID can restrict or extend access based on the permissions that the customer has. For example, suppose a file server contains files containing secret information, and these files are protected by a DACL. To prevent customers from gaining unauthorized access to the information in these files, the service can impersonate the customer before accessing the files.
Access token features
- Each process has a primary token that describes the security context of the user account associated with the process. The user associated with the ordinary application process is the person who started the application, but not for a service process: the service runs under its own account and acts as a user within its own permissions. The system services installed with the operating system run under the local system account. Other services can be configured to run under this account, or they can be given to a separate account on the local system or in Active Directory. The main token of a service is related to the controlling thread in the service process and all other threads running on behalf of the service. It identifies the account of the service, the group and privileges of the account. This information is used in access checks when the service requests access to the objects needed to complete the work.
- When the service accepts a client, it creates a thread to do the work and associates the client's access token with the worker thread. The customer's access token is an impersonation token that identifies the customer, the customer's group, and privileges. This information is used during the access check process when a thread requests access to a resource on behalf of a client. After the simulation ends, the thread reuses the master token and returns to the service's own security context, not the client's context.