Top Banner
Windows Object Security DAC logon -> SID -> Access Token -> ACL 14.3.19 vjj 1

Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

May 25, 2020



Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Page 1: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

Windows Object Security


logon -> SID -> Access Token -> ACL

14.3.19 vjj 1

Page 2: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

logon security• local account

• Microsoft Account

• domain account - Ctrl+Alt+Del

• heslo, certificate, PIN, biometrics, draw pattern, ...

14.3.19 vjj 2

Page 3: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

Windows Kernel Object Security

• soubory, adresáře

• Registry

• procesy, vlákna

• semafory, události

• Active Directory

• objekty Group Policy

14.3.19 vjj 3

Page 4: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

Windows Object Security

• local Properties dialog (F10)Properties optionSecurity tab

• API funkce proSecurity Descriptor, ACL, ACE

• .NET Framework objectsSecurity Descriptor, ACL, ACE

• Group PolicyComputer Configuration | Policies | Security Settings | File System

14.3.19 vjj 4

Page 5: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle


SUBJECT's Access Token

User SIDUser Group SIDs

Logon SID

PrivilegesOwner SID

Primary Group SIDDefault DACL

Access Token SourcePrimary or Impersonation

Restricting SIDsImpersonation Level

(Identify, Impersonate, Delegate)

Security Descriptor

Owner SIDGroup SID

ACL seznam

ACE záznam

ACE záznam

ACE záznam

ACE záznam

ACE záznam

14.3.19 vjj 5

Page 6: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

access verification algorithm

• get object's ACL

• compare SIDs and requirements with ACEs

• deny ACE encountered -> access denied

• permit ACEs found for all requirements -> access allowed

• end of ACL encountered -> access denied

• no ACL -> no restrictions14.3.19 vjj 6

Page 7: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

Access Token• User SID - Security ID uživatele, pod kterým proces/vlákno běží

• User Group SIDs - Security ID všech skupin, jejichž je uživatel členem

• Primary Group SID

• Restricting SIDs - list of restricting SIDs added by CreateRestrictedToken

• Logon SID - identifies the logon session

• Access Token Source

• Primary or Impersonation

• Impersonation Level (Identify, Impersonate, Delegate) – k plnému zastupování je zapotřebí aby proces aktivoval uživatelovo privilegium "Act as part of the operating system" (SE_TCB_NAME, "SeImpersonatePrivilege")

• Security Settings / Local Policies / User Rights Assignment / Act as part of the operating system

• Privileges - všechna privilegia přidělená uživateli buď individuálně, nebo prostřednictvím skupin, kterých je členem

• Owner SID - Security ID uživatele, který bude nastaven jako vlastník nově vytvářených objektů

• Default DACL - zabezpečení, které bude nastaveno u nově vytvářených objektů, pokud není

explicitně určeno parametrem Security Decriptor(jaký je vztah k DACL např. adresáře, ve kterém je vytvářen nový soubor?)

14.3.19 vjj 7

Page 8: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

Access Token• dva druhy:

• "primary" token – je svázán s procesem, default pro každé vlákno procesu

• "impersonation" token – je svázán s vláknem, které je právě v režimu zastupování

• v tokenu lze změnit:

• oprávnění přidělená zastupovanému uživatel

• aktivaci přidělených privilegií

• defaultního vlastníka a DACL pro kernel objekty, které bude proces s tímto tokenem dále vytvářet

14.3.19 vjj 8

Page 9: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

owner's permissions



14.3.19 vjj 9

Page 10: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

API• OpenProcessToken Retrieves a handle to the primary access token for

a process.

• OpenThreadToken Retrieves a handle to the impersonation access tokenfor a thread.

• CreateRestrictedToken Creates a new token that is a restricted versionof an existing token. The restricted token canhave disabled SIDs, deleted privileges, and a listof restricted SIDs.

• DuplicateToken Creates a new impersonation token thatduplicates an existing token.

• DuplicateTokenEx Creates a new primary token or impersonation tokenthat duplicates an existing token.

• AdjustTokenGroups Changes the group information in an access token.

• AdjustTokenPrivileges Enables or disables the privileges in an accesstoken. It does not grant new privileges or revokeexisting ones.

• SetTokenInformation Changes a token's owner,primary group, ordefault DACL

14.3.19 vjj 10

Page 11: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

APIBOOL WINAPI GetTokenInformation(

_In_ HANDLE TokenHandle,

_In_ TOKEN_INFORMATION_CLASS TokenInformationClass,

_Out_opt_ LPVOID TokenInformation,

_In_ DWORD TokenInformationLength,

_Out_ PDWORD ReturnLength


• TokenUse = 1, TokenGroups, TokenPrivileges, TokenOwner, TokenPrimaryGroup, TokenDefaultDacl, TokenSource, TokenType, TokenImpersonationLevel, TokenStatistics, TokenRestrictedSids, TokenSessionId, TokenGroupsAndPrivileges, TokenSessionReference, TokenSandBoxInert, TokenAuditPolicy, TokenOrigin, TokenElevationType, TokenLinkedToken, TokenElevation, TokenHasRestrictions, TokenAccessInformation, TokenVirtualizationAllowed, TokenVirtualizationEnabled, TokenIntegrityLevel, TokenUIAccess, TokenMandatoryPolicy, TokenLogonSid, TokenIsAppContainer, TokenCapabilities, TokenAppContainerSid, TokenAppContainerNumber, TokenUserClaimAttributes, TokenDeviceClaimAttributes, TokenRestrictedUserClaimAttributes, TokenRestrictedDeviceClaimAttributes, TokenDeviceGroups, TokenRestrictedDeviceGroups, TokenSecurityAttributes, TokenIsRestricted, MaxTokenInfoClass

14.3.19 vjj 11

Page 12: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

Access Token in .NET

• IIdentity – autentizace

• IPrincipal – autorizace

• .NET: WindowsIdentity a WindowsPrincipal

• objekty WindowsPrincipal a WindowsIdentityjsou navzájem provázány

• token of the current thread: WindowsIdentity.GetCurrent( )wraps the token that represents the thread's security context (for non impersonating thread)

14.3.19 vjj 12

Page 13: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

Identity <-> PrincipalWindowsIdentity myIdentity =


WindowsPrincipal myPrincipal =new WindowsPrincipal (myIdentity) ;

myIdentity = myPrincipal.Identity ;

14.3.19 vjj 13

Page 14: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

WindowsIdentityWindowsIdentity myIdentity =

WindowsIdentity.GetCurrent () ;

WindowsIdentity nullIdentity =WindowsIdentity.GetAnonymous () ;

myIdentity.NamemyIdentity.IsAuthenticatedmyIdentity.IsAnonymousmyIdentity.IsGuestmyIdentity.IsSystemmyIdentity.AuthenticationType == "NTLM"

IntPtr myToken = myIdentity.Token ;14.3.19 vjj 14

Page 15: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

WindowsPrincipalmyPrincipal.IsInRole (

WindowsBuiltInRole.Administrator )

• Determines whether the (current) principal belongs to the Windows user group.

14.3.19 vjj 15

Page 16: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle


• how to create new application dependent roles?

14.3.19 vjj 16

Page 17: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle


• System.Web.Security.Roles

• CreateRole( string roleName )

• AddUserToRole( string username,string roleName )

• AddUsersToRole( string[] usernames,string roleName )

• AddUserToRoles( string username,string[] roleNames )

14.3.19 vjj 17

Page 18: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

imperative role-based securityPrincipalPermission p =new PrincipalPermission ("novak","admins");

PrincipalPermission p =new PrincipalPermission (null, "admins") ;

try {

p.Demand () ;


catch( SecurityException e )


}14.3.19 vjj 18

Page 19: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

declarative role-based security[PrincipalPermission (SecurityAction.Demand,

Name = "novak")]

[PrincipalPermission (SecurityAction.Demand,Name = "novak",Role = "admins")]

[PrincipalPermission (SecurityAction.Demand,Role = "admins")]

14.3.19 vjj 19

Page 20: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle



14.3.19 vjj 20

Page 21: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

get-acldir | get-acl | fl

• Path : Microsoft.PowerShell.Core\FileSystem::C:\Users\vjj\Documents\WindowsPo

• werShell\Active Directory

• Owner : WIN\vjj

• Group :

• Access :

• FileSystemRights : FullControl

• AccessControlType : Allow

• IdentityReference : BUILTIN\Administrators

• IsInherited : True

• InheritanceFlags : ContainerInherit, ObjectInherit

• PropagationFlags : None

• Audit :

• Sddl (Security Descriptor Definition Language):

14.3.19 vjj 21

Page 22: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

get-acl> get-acl C:\Users\vjj\Documents | fl

Path : Microsoft.PowerShell.Core\FileSystem::C:\Users\vjj\Documents

Owner : WIN\vjj

Group : WIN\Domain Users

Access : NT AUTHORITY\SYSTEM Allow FullControl

BUILTIN\Administrators Allow FullControl

WIN\vjj Allow FullControl

Audit :

Sddl : O:S-1-5-21-2378754280-655980599-3492758231-1103






14.3.19 vjj 22

Page 23: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle



• Deny Access to ANonymous logon


• Allow Read/Write/eXecute to Authenticated Users


14.3.19 vjj 23

• Allow full control (Access) to Built-in Administrators


• Deny Access to Built-in Guests

Page 24: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

Security Descriptor Definition Language



• CI - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE

• OI - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.




• .....14.3.19 vjj 24

Page 25: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

GetAccessRules$sd = get-acl C:\users\vjj\Documents

$accessrules =

$sd.GetAccessRules($true, $true,


$accessrules | fl

14.3.19 vjj 25

Page 26: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

copy ACL$myACL = Get-Acl myTest1.txt

Set-Acl myTest2.txt -aclobject $myACL

dir –Path c:\temp -recurse -include *.txt -force |

Set-Acl -aclobject $myACL14.3.19 vjj 26

Page 27: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

.NETFileSecurity fSecurity =



new FileSystemAccessRule(





fileName, fSecurity);14.3.19 vjj 27

Page 28: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

.NETDirectoryInfo dInfo =

new DirectoryInfo(FileName);

DirectorySecurity dSecurity =



new FileSystemAccessRule(




dInfo.SetAccessControl(dSecurity);14.3.19 vjj 28

Page 29: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

.NET and ACE in ADusing ActiveDs;using System.Collections;

DirectoryEntry DirEnt = new DirectoryEntry( "LDAP://CN=vjj, DC=WIN, DC=MS, DC=MFF, DC=CUNI, DC=CZ") ;

SecurityDescriptor sd = (SecurityDescriptor)DirEnt.Properties["ntSecurityDescriptor"].Value ;

AccessControlList acl= (AccessControlList)sd.DiscretionaryAcl;

foreach ( AccessControlEntry ace in (IEnumerable) acl ){

Console.WriteLine ("Trustee: {0}", ace.Trustee);Console.WriteLine ("AccessMask: {0}", ace.AccessMask);Console.WriteLine ("Access Type: {0}", ace.AceType);


14.3.19 vjj 29

Page 30: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle



14.3.19 vjj 30

Page 31: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle


SUBJECT's Access Token

User SIDUser Group SIDs

Logon SID

PrivilegesOwner SID

Primary Group SIDDefault DACL

Access Token SourcePrimary or Impersonation

Restricting SIDsImpersonation Level

(Identify, Impersonate, Delegate)

Security Descriptor

Owner SIDGroup SID

ACL seznam

ACE záznam

ACE záznam

ACE záznam

ACE záznam

ACE záznam

14.3.19 vjj 31

Page 32: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

Povolení libovolného přístupuPSECURITY_DESCRIPTOR pSD ;


InitializeSecurityDescriptor (pSD,SECURITY_DESCRIPTOR_REVISION) ;

SetSecurityDescriptorDacl(pSD, FALSE, NULL, FALSE) ;

SetFileSecurity (lpszFileName,DACL_SECURITY_INFORMATION, pSD) ;

14.3.19 vjj 32


v bezpečnostním deskriptoru je zrušeno nastavení příznaku SE_DACL_PRESENT

Page 33: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

vlákno výpočtu Objekt

SID uživatele

SID skupinySID skupiny




Security Descriptor

SID vlastníka

SID skupiny

14.3.19 vjj 33

SUBJECT's Access Token

Page 34: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle



InitializeSecurityDescriptor (pSD,SECURITY_DESCRIPTOR_REVISION) ;

SetSecurityDescriptorDacl(pSD, TRUE, NULL, TRUE) ;

SetFileSecurity (lpszFileName,DACL_SECURITY_INFORMATION, pSD) ;

14.3.19 vjj 34

Page 35: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle



InitializeSecurityDescriptor (pSD,SECURITY_DESCRIPTOR_REVISION) ;

SetSecurityDescriptorDacl(pSD, TRUE, NULL, FALSE) ;

SetFileSecurity (lpszFileName,DACL_SECURITY_INFORMATION, pSD) ;

14.3.19 vjj 35

FALSE => DACL set to default

Page 36: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

Zákaz jakéhokoliv přístupuPSECURITY_DESCRIPTOR pSD ;PACL pAcl ;

pSD = (PSECURITY_DESCRIPTOR) HeapAlloc (hHeap, 0, SECURITYDESCRIPTOR_MIN_LENGTH) ;InitializeSecurityDescriptor


pACL = (PACL) HeapAlloc (hHeap, 0, 1024) ;InitializeAcl (pAcl, 1024, ACL_REVISION2) ;

SetSecurityDescriptorDacl(pSD, TRUE, pAcl, FALSE) ;

SetFileSecurity (lpszFileName,DACL_SECURITY_INFORMATION, pSD) ;

14.3.19 vjj 36

Page 37: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

vlákno výpočtu Objekt

Access Token

SID uživatele

SID skupinySID skupiny




Security Descriptor

SID vlastníka

SID skupiny

ACL seznam

14.3.19 vjj 37

SUBJECT's Access Token

Page 38: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

Konkrétní oprávnění 1/3PSECURITY_DESCRIPTOR pSD; PACL pAcl;

PSID pSid;

DWORD dwSidLength = 1024;

DWORD dwDomainLength = 80;

LPSTR lpszAccount = "vjj";

LPSTR lpszDomain;


14.3.19 vjj 38

Page 39: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

Konkrétní oprávnění 2/3pSD = (PSECURITY_DESCRIPTOR)

HeapAlloc (hHeap, 0, SECURITY_DESCRIPTOR_MIN_LENGTH) ;InitializeSecurityDescriptor (pSD, SECURITY_DESCRIPTOR_REVISION) ;pACL = (PACL) HeapAlloc (hHeap, 0, 1024) ;InitializeAcl (pAcl, 1024, ACL_REVISION2) ;

pSid = (PSID) HeapAlloc (hHeap, 0, dwSidLength) ;

pSidNameUse = (PSID_NAME_USE)HeapAlloc (hHeap, 0, 1024);

lpszDomain =HeapAlloc (hHeap, 0, 80) ;

14.3.19 vjj 39

Page 40: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

Konkrétní oprávnění 3/3LookupAccountName( NULL, // = Local System

lpszAccount, pSid, & dwSidLength,lpszDomain,& dwDomainLength,pSidNameUse ) ;

if ( IsValidSid( pSid ) ){

AddAccessAllowedAce ( pAcl, ACL_REVISION2,GENERIC_READ, pSid ) ;

SetSecurityDescriptorDacl( pSD, TRUE, pAcl, FALSE ) ;SetFileSecurity


14.3.19 vjj 40

Page 41: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

vlákno výpočtu Objekt

Access Token

SID uživatele

SID skupinySID skupiny




Security Descriptor

SID vlastníka

SID skupiny

ACL seznam

ACE záznam

14.3.19 vjj 41

SUBJECT's Access Token

Page 42: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

PowerShell and ACL$objUser = New-Object System.Security.Principal.NTAccount("win\vjj")

$fsRights = [System.Security.AccessControl.FileSystemRights]"FullControl"

$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None

$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None

$objType =[System.Security.AccessControl.AccessControlType]::Allow

$objACE = New-Object


$objUser, $fsRights, $InheritanceFlag, $PropagationFlag, $objType)

$objACL = Get-ACL "C:\testFolder\Test1.txt"


Set-ACL "C:\testFolder\Test1.txt" $objACL

14.3.19 vjj 42

Page 43: Windows Object Security - Univerzita Karlova DAC.pdf · API • OpenProcessToken Retrieves a handle to the primary access token for a process. • OpenThreadToken Retrieves a handle

Mandatory Integrity Control

• Integrity Level checks before ACL

• implemented through a new type of ACE on a security descriptor

14.3.19 vjj 43