- Contenu d’un jeton d’accès
- Jeton physique
- Privilègtes et clés de registres
- Schéma complet
- liens utiles
Contenu d’un jeton d’accès
An access token is re-created every time a security principal is authenticated (logs on), and it contains the following information used for accessing resources:
- The SID for the user’s account.
- A list of SIDs for security groups that include the user and the privileges held on the local computer by the user and the user’s security groups. This list includes SIDs both for domain-based security groups, if the user is a member of a domain, and for local security groups.
- The SID of the user or security group that becomes the default owner of any object that the user creates or takes ownership of.
- The SID for the user’s primary group.
- The default discretionary access control lists (DACLs) that the operating system applies to objects created by the user if no other access control information is available.
- A list of privileges associated with the user’s account.
- The sourcethat caused the access token to be created, such as the Session Manager or LAN Manager
- A value indicating whether the access token is a primary token, which represents the security context of a process, or an impersonation token, which is an access token that a thread within a service process can use to temporarily adopt a different security context, such as the security context for a client of the service.
- A value that indicates to what extent a service can adopt the security context of a client represented by this access token.
- Statistics about the access token that are used internally by the operating system.
- An optional list of SIDs added to an access token by a process to restrict use of the token.
- A session ID that indicates whether the token is associated with a Terminal Services client session. (The session ID also makes fast user switching possible because it contains a list of privileges.)
A copy of the access token is attached to every thread and process that the user runs.
The security reference monitor (SRM) then compares the security descriptors in the token with the security IDs for every file, folder, printer, or application that the user attempts to access. In this way, the access token provides a security context for the security principal’s actions on the computer.
Ntrights is included in the Windows Server 2003 Resource Kit and the Windows 2000 Resource Kit.
Ntrights is supported for Windows Server 2003, XP
- command-line tool that enables you to assign or revoke a right for a user or group of users on a local or remote computer. You can also place an entry that notes the change in the event log of the computer.
Ntrights is useful in unattended or automated installations during which you might want to change the default rights. You can also use the tool in situations where you need to change a right in an existing installation, but you cannot access and log on to all computers.
To find more information about Ntrights, see Windows Server 2003 Resource Kit Tools Help in the Tools and Settings Collection.
Showpriv.exe: Show Privilege
Show Privilege is included in the Windows Server 2003 Resource Kit and the Windows 2000 Resource Kit.
Show Privilege is supported for Windows Server 2003, XP
Show Privilege is a command-line tool that displays the rights assigned to users and groups. The tool must be run locally on the target computer. To display users and groups that have domain privileges, Show Privilege must be run on a domain controller. The following table shows the privileges specific to access tokens.
Access Token Privileges
|Privilege Name||Equivalent Security Policy User Right Setting||Description|
|SeCreateTokenPrivilege||Create a token object||Allows a process to create an access token.|
|SeAssignPrimaryTokenPrivilege||Replace a process-level token||Allows a process that has this privilege to replace the access token associated with a process.|
|SeImpersonatePrivilege||Impersonate a client after authentication||Allows a process to impersonate.|
To find more information about Show Privilege, see Windows Server 2003 Resource Kit Tools Help in the Tools and Settings Collection.
Access Tokens Registry Entries
The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as MMC to accomplish tasks. If you must edit the registry, use extreme caution.
The following registry settings that affect access tokens cannot be modified by using Group Policy or other Windows tools.
EveryoneIncludesAnonymous is supported for Windows Server 2003 XP.
This registry setting controls whether the Everyone SID is included in the access token generated for an anonymous user.
|0||(default) Do not include the Everyone SID in the access token generated for an anonymous user.|
|1||Include the Everyone SID in the access token generated for an anonymous user.|
RestrictAnonymous is supported for Windows Server 2003, Windows XP, and Windows 2000.
This registry setting restricts anonymous users from displaying lists of users, and from viewing security permissions.
|0||(default) Anonymous users are not restricted. Rely on default permissions.|
|1||Do not allow enumeration of Security Accounts Manager (SAM) accounts and shares.|
|2||In Windows 2000, do not include the Everyone SID in the access token generated for an Anonymous user.
Not supported in Windows Server 2003.
Results of Anonymous User Settings
Anonymous User: Windows 2000
|Restrict Anonymous Setting||Can Enumerate Local SAM Accounts and Shares?||Can Access Other Securable Objects If:|
|0||Yes||Anonymous or Everyone is granted access by the object’s access control list (ACL).|
|1||No||Anonymous or Everyone is granted access by the object’s ACL.|
|2||No||Anonymous is explicitly granted access by the object’s ACL.|
Anonymous User: Windows Server 2003 and Windows XP
|Restrict Anonymous Setting||EveryoneIncludesAnonymous Setting||Can Enumerate Local SAM Accounts and Shares?||Can Access Other Securable Objects If:|
|0||0||Yes||Anonymous is explicitly granted access by the object’s ACL.|
|0||1||Yes||Anonymous or Everyone is granted access by the object’s ACL.|
|1||0||No||Anonymous is explicitly granted access by the object’s ACL.|
|1||1||No||Anonymous or Everyone is granted access by the object’s ACL.|
Effects of Anonymous User Settings Entered in a Domain Controller’s Registry
Ability of anonymous users to enumerate account information
There is no local SAM on a domain controller. Thus, RestrictAnonymous does not control the ability of anonymous users to enumerate account information. Instead, access to account information is controlled by ACLs on account objects in Active Directory.
Ability of anonymous users to enumerate shared resources
Anonymous users will not be able to enumerate shared resources or pipes if RestrictAnonymous is set to equal 1.
Ability of Anonymous Users to Access Active Directory Data on Windows 2000 Domain Controllers
|Restrict Anonymous Setting||Pre-Windows 2000 Compatible Access Security Group Membership||Access to Any Active Directory Data|
|0 or 1||No||No|
|0 or 1||Yes||Yes, if Everyone is a member of this group.|
|2||Yes, Anonymous must be explicitly a member.||Yes|
Ability of Anonymous Users to Access Active Directory Data on Windows Server 2003 Domain Controllers
|EveryoneIncludesAnonymous Setting||Pre-Windows 2000 Compatible Access Security Group Membership||Access to Any Active Directory Data|
|0||Yes||Yes, if Anonymous is also a member of this group.|
|1||Yes||Yes, even if Anonymous is not a member of this group as long as Everyone is a member of this group.|
- Both Everyone and Anonymous are members of Pre-Windows 2000 Compatible Access group by default in Windows Server 2003.
Access Tokens Group Policy Settings
The following table lists and describes the Group Policy settings that are associated with access tokens.
Group Policy Settings Associated with Access Tokens
|Group Policy Setting||Description|
|User Rights Assignment:
Changes to these settings control:
Changes to this setting will:
Changes to this setting will affect whether Everyone is in the token for anonymous users.
Access Tokens WMI Classes
The following table lists and describes the WMI classes that are associated with access tokens.
|Class Name||Namespace||Version Compatibility|
|Win32_TokenGroups||\root\cimv2||Windows Server 2003
|Win32_TokenPrivileges||\root\cimv2||Windows Server 2003