The executing server-side thread includes an impersonation token for the user in addition to the thread’s primary token, and uses the impersonation token to perform access checks for the user’s actions. For example, when a user accesses an SMB file share, the server needs a copy of the user’s token to validate that the user has sufficient permissions. Impersonation tokens are typically used in client/server communication. Impersonation allows for a thread to perform an operation using an access token from another user or client. Primary tokens function as described and are used to present the default security information for a process or thread.
This token is used by to perform access checks when accessing securable objects or performing privileged actions within the operating system.Īccess tokens may exist as primary tokens or impersonation tokens. Reference: Microsoft Security Principals DocumentationĮvery process or thread created by a user inherits a copy of their token. User Access Token and a Securable Object. The access token includes the user’s security identifier (SID), group SIDs, privileges, integrity level, and other security-relevant information. They are granted to authorized users by the Local Security Authority (LSA). Access tokensĪccess tokens are the foundation of all authorization decisions for securable resources hosted on the operating system. Below, we walk through the most important concepts to understand if you want to better defend against abuse.
Microsoft provides a detailed explanation of Windows privileges in their Access Control documentation. It’s important to distinguish between privileges (which apply to system-related resources) and access rights (which apply to securable objects).
Introduction to Windows privilegesĪ privilege is a right granted to an account to perform privileged operations within the operating system.
We walk through the key concepts a defender needs to understand to protect privileges, and provide an example on how to improve security through auditing, detection strategies, and targeted privilege removal. In this blog post, we give a brief introduction to privileges and share our recommendations for detecting and preventing their abuse. Defenders who understand privileges and how attackers may abuse them can enhance their detection and attack surface reduction capabilities. As the name suggests, privileges grant rights for accounts to perform privileged operations within the operating system: debugging, impersonation, etc.
Microsoft DirectAccess Connectivity Assistant Disable SMB Compression Network Drive Mappings Microsoft Edge for Business Edge Chromium Blocker Toolkit Enhanced Mitigation Experience Toolkit Forefront Endpoint Protection 2010 Forefront Identity Manager 2010 R2 Group Policy Preference Client Side Extensions Azure Hybrid Connection Manager Hide Specified Drives Internet Explorer IPv6 Group Policy Set NetBIOS Node Type (KB160177) Key Management Service Local Administrator Password Solution (LAPS) Microsoft Desktop Optimization Pack Group Policy Administrative Templates NetBanner Microsoft Office 2007 Microsoft Office 2010 Microsoft Office 2013 Microsoft Office 365 ProPlus, Office 2019, Office 2016 OneDrive for Business Next Generation Sync Client OneNote Class Notebook CVE-2021-34527 (PrintNightmare) Windows Small Business Server System Center Configuration Manager Secure Channel System Center Operations Manager / Microsoft Monitoring Agent System Center Operations Manager - Agentless Exception Monitoring System Center Operations Manager - Management Server Tweaker Microsoft Security Compliance Toolkit Windows Security Baseline Silverlight System Center Endpoint Protection Virtual Machine Manager Administrator Console Windows 10 Telemetry Group Policy Pack Windows 7 and Windows Server 2008 R2 Windows 8.1 and Windows Server 2012 R2 Windows 10 and Windows Server 2016 Windows 11 Help for Windows (WinHlp32.Privileges are an important native security control in Windows.