Token (windows Nt Architecture) Article Index for
Token 		 

Information About

Token (windows Nt Architecture)
APPAREL
BABY
BEAUTY
BOOKS
CAR TOYS
CELL PHONES
DVD'S
ELECTRONICS
GOURMET FOOD
GROCERIES
HEALTH & PERSONAL
HOME & GARDEN
JEWELRY
MUSIC
MUSIC INSTRUMENTS
OFFICE PRODUCTS
SOFTWARE
SPORTING GOODS
TOOLS & HARDWARE
TOYS
VIDEO GAMES
SHOPPING HOME
MORE SHOPPING...




GENERAL INFORMATION

A token is itself an object in the Windows NT architecture, meaning that accesses on it are checked against another token. As such, a token has an associated Security Descriptor , as well as an optional path in the object namespace (the latter is a standard feature of the object manager, but it's never used for tokens).

There are two kinds of tokens: ''primary'' and ''impersonation'' tokens. Primary tokens can only be associated to Processes , and they represent a process's security subject. The creation of primary tokens and their association to processes are both privileged operations, requiring two different privileges in the name of Privilege Separation - the typical scenario sees the authentication service creating the token, and a logon service associating it to the user's Operating System Shell . Processes initially inherit a copy of the parent process's primary token. Impersonation tokens can only be associated to Threads , and they represent a ''client'' process's security subject. Impersonation tokens are usually created and associated to the current thread implicitly, by IPC mechanisms such as DCE RPC , DDE and Named Pipe s.

Impersonation is a security concept unique to Windows NT, that allows a server application to temporarily "be" the client in terms of access to secure objects. Impersonation has three possible levels: ''identification'', letting the server inspect the client's identity, ''impersonation'', letting the server act on behalf of the client, and ''delegation'', same as impersonation but extended to remote systems to which the server connects (through the preservation of credentials). The client can choose the maximum impersonation level (if any) available to the server as a connection parameter. Delegation and impersonation are privileged operations (impersonation initially wasn't, but historical carelessness in the implementation of client API s failing to restrict the default level to "identification", letting an unprivileged server impersonate an unwilling privileged client, called for it).


CONTENTS OF A TOKEN

A token is composed of various fields, among which:
  • an identifier

  • the identifier of the associated logon session. The session is maintained by the authentication service, and is populated by the authentication packages with a collection of all the information ( Credentials ) the user provided when logging in. Credentials are used to access remote systems without the need for the user to re-authenticate ( Single Sign-on ), provided that all the systems involved share an authentication authority (e.g. a Kerberos ticket server)

  • the user identifier. This field is the most important and it's strictly read-only

  • the identifiers of groups the user (or, more precisely, the subject) is part of. Group identifiers cannot be deleted, but they can be disabled. At most one of the groups is designated as the ''session id'', a volatile group representing the logon session, allowing access to volatile objects associated to the session, such as the display

  • the restricting group identifiers (optional). This additional set of groups doesn't grant additional access, but further restricts it: access to an object is only allowed if it's allowed ''also'' to one of these groups. Restricting groups cannot be deleted nor disabled. Restricting groups are a recent addition, and they are used in the implementation of Sandboxes

  • the privileges, i.e. special capabilities the user has. Most privileges are disabled by default, to prevent damage from non-security-conscious programs. Starting in Windows XP Service Pack 2 and Windows Server 2003 privileges can be permanently removed from a token by a call to AdjustTokenPrivileges with the SE_PRIVILEGE_REMOVED attribute.

  • the default owner, primary group and ACL for objects created by the subject associated to the token



OPERATIONS ON A TOKEN

{Link without Title}


HOW A TOKEN IS USED IN ACCESS CONTROL

{Link without Title}