Dossier :Jeton d’accès Microsoft

 

plan

  1. Contenu d’un jeton d’accès
  2. Jeton physique
  3. Outils
  4. Privilègtes et clés de registres
  5. Schéma complet
  6. liens utiles

Contenu d’un jeton d’accès

An access token is re-created every time a security principal is authenticated (logs on), and it contains the following information used for accessing resources:

[paycontent]

  • The SID for the user’s account.
  • A list of SIDs for security groups that include the user and the privileges held on the local computer by the user and the user’s security groups. This list includes SIDs both for domain-based security groups, if the user is a member of a domain, and for local security groups.
  • The SID of the user or security group that becomes the default owner of any object that the user creates or takes ownership of.
  • The SID for the user’s primary group.
  • The default discretionary access control lists (DACLs) that the operating system applies to objects created by the user if no other access control information is available.
  • A list of privileges associated with the user’s account.
  • The sourcethat caused the access token to be created, such as the Session Manager or LAN Manager
  • A value indicating whether the access token is a primary token, which represents the security context of a process, or an impersonation token, which is an access token that a thread within a service process can use to temporarily adopt a different security context, such as the security context for a client of the service.
  • A value that indicates to what extent a service can adopt the security context of a client represented by this access token.
  • Statistics about the access token that are used internally by the operating system.
  • An optional list of SIDs added to an access token by a process to restrict use of the token.
  • A session ID that indicates whether the token is associated with a Terminal Services client session. (The session ID also makes fast user switching possible because it contains a list of privileges.)

 

A copy of the access token is attached to every thread and process that the user runs.

 

The security reference monitor (SRM) then compares the security descriptors in the token with the security IDs for every file, folder, printer, or application that the user attempts to access. In this way, the access token provides a security context for the security principal’s actions on the computer.

 

Texte de remplacement généré par une machine : Access Tokens Physical Structure Access Token User Group 1 510 Group n 510 Privilege 1 Privilege n Default Owner Primary Group Default Discretionary Access Control List (DACL) Source Type Irrpersonation Level Statistics Restricting SID 1 Restricting SID n TS Session ID Session Reference SandBox Inert Audit Policy Origin An access token contains a complete description of the security context for a process or thread, including the information in the following table.

 

 

Tools

 

Consoles AD

WhoamI

 

Ntrights.exe: Ntrights

Category

Ntrights is included in the Windows Server 2003 Resource Kit and the Windows 2000 Resource Kit.

Version compatibility

Ntrights is supported for Windows Server 2003, XP

  • command-line tool that enables you to assign or revoke a right for a user or group of users on a local or remote computer. You can also place an entry that notes the change in the event log of the computer.

Ntrights is useful in unattended or automated installations during which you might want to change the default rights. You can also use the tool in situations where you need to change a right in an existing installation, but you cannot access and log on to all computers.

To find more information about Ntrights, see Windows Server 2003 Resource Kit Tools Help in the Tools and Settings Collection.

 

Showpriv.exe: Show Privilege

Category

Show Privilege is included in the Windows Server 2003 Resource Kit and the Windows 2000 Resource Kit.

Version Compatibility

Show Privilege is supported for Windows Server 2003, XP

Show Privilege is a command-line tool that displays the rights assigned to users and groups. The tool must be run locally on the target computer. To display users and groups that have domain privileges, Show Privilege must be run on a domain controller. The following table shows the privileges specific to access tokens.

 

Access Token Privileges

 Privilege Name Equivalent Security Policy User Right Setting Description
SeCreateTokenPrivilege Create a token object Allows a process to create an access token.
SeAssignPrimaryTokenPrivilege Replace a process-level token Allows a process that has this privilege to replace the access token associated with a process.
SeImpersonatePrivilege Impersonate a client after authentication Allows a process to impersonate.

To find more information about Show Privilege, see Windows Server 2003 Resource Kit Tools Help in the Tools and Settings Collection.

 

Access Tokens Registry Entries

The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as MMC to accomplish tasks. If you must edit the registry, use extreme caution.

The following registry settings that affect access tokens cannot be modified by using Group Policy or other Windows tools.

 

EveryoneIncludesAnonymous

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

Version compatibility

EveryoneIncludesAnonymous is supported for Windows Server 2003 XP.

This registry setting controls whether the Everyone SID is included in the access token generated for an anonymous user.

EveryoneIncludesAnonymous Settings

 

Setting Effect
0 (default) Do not include the Everyone SID in the access token generated for an anonymous user.
1 Include the Everyone SID in the access token generated for an anonymous user.

 

RestrictAnonymous

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

Version compatibility

RestrictAnonymous is supported for Windows Server 2003, Windows XP, and Windows 2000.

This registry setting restricts anonymous users from displaying lists of users, and from viewing security permissions.

RestrictAnonymous Settings

Setting Effect
0 (default) Anonymous users are not restricted. Rely on default permissions.
1 Do not allow enumeration of Security Accounts Manager (SAM) accounts and shares.
2 In Windows 2000, do not include the Everyone SID in the access token generated for an Anonymous user.

Not supported in Windows Server 2003.

 

Results of Anonymous User Settings

Anonymous User: Windows 2000

Restrict Anonymous Setting Can Enumerate Local SAM Accounts and Shares? Can Access Other Securable Objects If:
0 Yes Anonymous or Everyone is granted access by the object’s access control list (ACL).
1 No Anonymous or Everyone is granted access by the object’s ACL.
2 No Anonymous is explicitly granted access by the object’s ACL.

Anonymous User: Windows Server 2003 and Windows XP

 

Restrict Anonymous Setting EveryoneIncludesAnonymous Setting Can Enumerate Local SAM Accounts and Shares? Can Access Other Securable Objects If:
0 0 Yes Anonymous is explicitly granted access by the object’s ACL.
0 1 Yes Anonymous or Everyone is granted access by the object’s ACL.
1 0 No Anonymous is explicitly granted access by the object’s ACL.
1 1 No Anonymous or Everyone is granted access by the object’s ACL.

Effects of Anonymous User Settings Entered in a Domain Controller’s Registry

Ability of anonymous users to enumerate account information

There is no local SAM on a domain controller. Thus, RestrictAnonymous does not control the ability of anonymous users to enumerate account information. Instead, access to account information is controlled by ACLs on account objects in Active Directory.

Ability of anonymous users to enumerate shared resources

Anonymous users will not be able to enumerate shared resources or pipes if RestrictAnonymous is set to equal 1.

Ability of Anonymous Users to Access Active Directory Data on Windows 2000 Domain Controllers

 

Restrict Anonymous Setting Pre-Windows 2000 Compatible Access Security Group Membership Access to Any Active Directory Data
0 or 1 No No
0 or 1 Yes Yes, if Everyone is a member of this group.
2 No No
2 Yes No
2 Yes, Anonymous must be explicitly a member. Yes

Ability of Anonymous Users to Access Active Directory Data on Windows Server 2003 Domain Controllers

 

EveryoneIncludesAnonymous Setting Pre-Windows 2000 Compatible Access Security Group Membership Access to Any Active Directory Data
0 No No
0 Yes Yes, if Anonymous is also a member of this group.
1 Yes Yes, even if Anonymous is not a member of this group as long as Everyone is a member of this group.

Note

  • Both Everyone and Anonymous are members of Pre-Windows 2000 Compatible Access group by default in Windows Server 2003.

 

Access Tokens Group Policy Settings

The following table lists and describes the Group Policy settings that are associated with access tokens.

Group Policy Settings Associated with Access Tokens

 

Group Policy Setting Description
User Rights Assignment:

  • Create a token object
  • Replace a process level token
 

Changes to these settings control:

  • Calling APIs to create tokens.
  • Whether a process can replace a token.
 

Audit Policy:

  • Audit policy change
  • Audit privilege use
  • Audit process tracking
 

Changes to this setting will:

  • Generate audits when rights are assigned with one of the tools discussed earlier.
  • Enable audit privilege use. Will log when SeAssignPrimaryTokenPrivilege was used.
  • Create an audit for assigning a primary token that contains the two processes involved and the identity of the token assigned.
 

Security Options:

  • Network access: Let Everyone permissions apply to anonymous users
 

Changes to this setting will affect whether Everyone is in the token for anonymous users.

 

Access Tokens WMI Classes

The following table lists and describes the WMI classes that are associated with access tokens.

 Class Name Namespace Version Compatibility
Win32_TokenGroups \root\cimv2 Windows Server 2003

Windows XP

Win32_TokenPrivileges \root\cimv2 Windows Server 2003

Windows XP

Sources

https://technet.microsoft.com/fr-fr/library/dn169025(v=ws.10).aspx

Access Tokens Technical Reference.

https://technet.microsoft.com/fr-fr/library/cc779140(v=ws.10).aspx

[/paycontent]

Laisser un commentaire