UAC and tokens

Yesterday evening I delivered a session about new security Features in Vista. I did not cover everything (I only had about an hour of time, so no time for all of it) But I did cover MIC and talked about UAC. A colleague of mine, Marcel, pointed me to an article in MSDN magazine this morning on UAC. It was nice to read and it was done from a developers point of view: how are tokens created and more interesting: WHEN is a filtered token created.

The article is found in this edition of MSDN Magazine. it is just the first article. This gave me the info I was looking for for quite some time.

a Filtered token is created on two occasions:

1. When The user is in one of the following groups: Built-In Administrators, Power Users, Account Operators, Server Operators, Printer Operators, Backup Operators, RAS Servers Group, Windows NT 4.0 App Compat Group, Network Configuration Operators, Domain Administrators, Domain Controllers, Certificate Publishers, Schema Administrators, Enterprise Administrators, Group Policy Administrators.
2. When the user has the following privileges: SeCreateTokenPriv­i­lege, SeTcbPrivilege, Se­Take­Owner­ship­Priv­ilege, Se­Back­up­Priv­i­lege, Se­Re­store­Privilege, Se­De­bug­Priv­ilege, Se­Im­personatePrivilege, and Se­Re­labelPrivilege.

If the user is a member of the Administrators group, the filtered token will have the Administrators group membership set to DENY ONLY, which prohibits AccessCheck from using this group to allow access to a resource. Also, all machine-impacting privileges are removed from the token.

For more information I would say read the complete article, it is very good and informative on this subject.

I tried the following to see the results of my filtered token against my full token.

I opened a command box and typed: WHOAMI /all

This resulted in the following output:

USER INFORMATION
—————-

User Name SID
============= ==============================================
ericd01ericd S-1-5-21-1946392401-3979032713-1531747386-1000

GROUP INFORMATION
—————–

Group Name Type SID Attributes
====================================== ================ ============================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
Ericd01Debugger Users Alias S-1-5-21-1946392401-3979032713-1531747386-1002 Mandatory group, Enabled by default, Enabled group
Ericd01Netmon Users Alias S-1-5-21-1946392401-3979032713-1531747386-1001 Mandatory group, Enabled by default, Enabled group
Ericd01SophosAdministrator Alias S-1-5-21-1946392401-3979032713-1531747386-1009 Mandatory group, Enabled by default, Enabled group
Ericd01SophosUser Alias S-1-5-21-1946392401-3979032713-1531747386-1007 Mandatory group, Enabled by default, Enabled group
BUILTINAdministrators Alias S-1-5-32-544 Group used for deny only
BUILTINUsers Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYINTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYAuthenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYThis Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYNTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory LabelMedium Mandatory Level Unknown SID type S-1-16-8192 Mandatory group, Enabled by default, Enabled group

PRIVILEGES INFORMATION
———————-

Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled

Then I opened an elevated command prompt and did the same. As you can guess I did get different results:

USER INFORMATION
—————-

User Name SID
============= ==============================================
ericd01ericd S-1-5-21-1946392401-3979032713-1531747386-1000

GROUP INFORMATION
—————–

Group Name Type SID Attributes
==================================== ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
Ericd01Debugger Users Alias S-1-5-21-1946392401-3979032713-1531747386-1002 Mandatory group, Enabled by default, Enabled group
Ericd01Netmon Users Alias S-1-5-21-1946392401-3979032713-1531747386-1001 Mandatory group, Enabled by default, Enabled group
Ericd01SophosAdministrator Alias S-1-5-21-1946392401-3979032713-1531747386-1009 Mandatory group, Enabled by default, Enabled group
Ericd01SophosUser Alias S-1-5-21-1946392401-3979032713-1531747386-1007 Mandatory group, Enabled by default, Enabled group
BUILTINAdministrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTINUsers Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYINTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYAuthenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYThis Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYNTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory LabelHigh Mandatory Level Unknown SID type S-1-16-12288 Mandatory group, Enabled by default, Enabled group

PRIVILEGES INFORMATION
———————-

Privilege Name Description State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled

Notice the difference in group information where it concerns the administrators group for instance.