Windows Privileges and Access Control Mechanisms

Security Identifier (SID)

Windows uses a SID to identify entities. A SID is a unique value assigned to each entity, or principal, that can authenticated by Windows, such as users and groups. The SID for local account and groups is generated by the Local Security Authority (LSA), and for domain users and domain groups, it's generated on a Domain Controller (DC). The SID cannot be changed and is generated when the user or group is created.

Parts of an SID

The SID string consists of different parts, delimited by "-", and represented by the placeholders "S", "R", "X", and "Y". This is the fundamental structure of an SID:

S-R-X-Y

  • S: This is the first part of the string and just indicates that the string is a SID

  • R: "R" stands for revision and is always set to "1", since the overall SID structure continues to be on its initial version

  • X: determines the identifier authority. This is the authority that issues the SID. For example, "5" is the most common value for the identifier authority. It specifies NT Authority and is used for local or domain users and groups.

  • Y: Represents the sub authorities of the identifier authority. Every SID consists of one or more sub authorities. This part consists of the domain identifier and relative identifier (RID). The domain identifier is the SID of the domain for domain users, the SID of the local machine for local users, and "32" for built-in principals. THE RID determines principals such as users or groups.

Hre is an example SID of a local user on a Windows system:

S-1-5-21-1336799502-1441772794-948155058-1001

Because RID starts at 1000 for nearly all principals, this implies that the above example SID is the second local user created on the system.

There are SIDs that have an RID under 1000, which are called well-known SIDs. These SIDs identify generic and built-in groups and users instead of specific groups and users. The following listing contains some well known SIDs in the context of privilege escalation:

S-1-0-0                       Nobody        
S-1-1-0	                      Everybody
S-1-5-11                      Authenticated Users
S-1-5-18                      Local System
S-1-5-domainidentifier-500    Administrator

How Windows Grants Access or Denies Operations

Tokens

Once a user is authenticated, Windows generates an access token that is assigned to that user. The token itself contains various pieces of information that effectively describe the security context of a given user. The security context is a set of rules or attributes that are currently in effect.

The security context of a token consists of the SID of a user. SIDs of the groups the user is a member of, the user and group privileges, and further information describing the scope of the token.

When a user starts a process or thread, a token will be assigned to these objects. This token, called a primary token specifies which permissions the process or threads have when interacting with another object and is a copy of the access token of the user.

A thread can also have an impersonation token assigned. Impersonation tokens are used to provide a different security context than the process that owns the thread. This means that the thread interacts with objects on behalf of the impersonation token instead of the primary token of the process.

Mandatory Integrity Control

Mandatory Integrity Control uses integrity levels to control access to securable objects. We can think of these levels as hierarchies of trust Windows has in a running application of securable object.

When processes are started or objects are created, they receive the integrity level of the principal performing this operation. Once exception is if an executable file has a low integrity level, the process's integrity level will also be low. A principal with a lower integrity level cannot write to an object with a higher level, even if the permissions would normally allow them to do so.

From Windows Vista onward, processes run on five integrity levels:

  • System: SYSTEM (kernel, ...)

  • High: Elevated users

  • Medium: Standard users

  • Low: Very restricted rights often used in sandboxed processes or for directories storing temporary data

  • Untrusted: Lowest integrity level with extremely limited access rights for processes or objects that post the most potential risk

The integrity level of processes can be viewed with Process Explorer for our current user with whoami /groups and for files with icacls.

For example, the following figure shows two PowerShell processes on a Windows system in Process Explorer. One started as a regular user and the other as an administrative user:

User Account Control (UAC)

The UAC is a Windows security feature that protects the operating system by running most applications and tasks with standard user privileges, even if the user launching them is an Administrator. For this, an administrative user obtains two access tokens after a successful logon. The first token is a standard user token (or filtered admin token), which is used to perform all non-privileged oprations. The second token is a regular administrator token. It will be used when the user wants to perform a privileged operation. To leverage the administrator token, a UAC consent prompt needs to be confirmed.

PreviousEnumerating WindowsNextPowerShell Logs and Information

Last updated