Access Rights for Access-Token Objects
An application cannot change the access control list of an object unless the application has the rights to do so. These rights are controlled by a security descriptor in the access token for the object. To get or set the security descriptor for an access token, call the GetKernelObjectSecurity() and SetKernelObjectSecurity() functions. When you call the OpenProcessToken() or OpenThreadToken() function to get a handle to an access token, the system checks the requested access rights against the DACL in the token's security descriptor. The following are valid access rights for access-token objects:
The specific access rights for access tokens, which are listed in the following table.
Value |
Meaning |
TOKEN_ADJUST_DEFAULT |
Required to change the default owner, primary group, or DACL of an access token. |
TOKEN_ADJUST_GROUPS |
Required to adjust the attributes of the groups in an access token. |
TOKEN_ADJUST_PRIVILEGES |
Required to enable or disable the privileges in an access token. |
TOKEN_ADJUST_SESSIONID |
Required to adjust the session ID of an access token. The SE_TCB_NAME privilege is required. |
TOKEN_ASSIGN_PRIMARY |
Required to attach a primary token to a process. The SE_ASSIGNPRIMARYTOKEN_NAME privilege is also required to accomplish this task. |
TOKEN_DUPLICATE |
Required to duplicate an access token. |
TOKEN_EXECUTE |
Combines STANDARD_RIGHTS_EXECUTE and TOKEN_IMPERSONATE. |
TOKEN_IMPERSONATE |
Required to attach an impersonation access token to a process. |
TOKEN_QUERY |
Required to query an access token. |
TOKEN_QUERY_SOURCE |
Required to query the source of an access token. |
TOKEN_READ |
Combines STANDARD_RIGHTS_READ and TOKEN_QUERY. |
TOKEN_WRITE |
Combines STANDARD_RIGHTS_WRITE, TOKEN_ADJUST_PRIVILEGES, TOKEN_ADJUST_GROUPS, and TOKEN_ADJUST_DEFAULT. |
TOKEN_ALL_ACCESS |
Combines all possible access rights for a token. |
Table 4 |
Security Descriptors
A security descriptor contains the security information associated with a securable object. A security descriptor consists of a SECURITY_DESCRIPTOR structure and its associated security information. A security descriptor can include the following security information:
The Windows API provides functions for setting and retrieving the security information in an object's security descriptor. In addition, there are functions for creating and initializing a security descriptor for a new object. Applications working with security descriptors on Active Directory objects can use the Windows security functions or the security interfaces provided by the Active Directory Service Interfaces (ADSI).
Securable Objects
A securable object is an object that can have a security descriptor. All named Windows objects are securable. Some unnamed objects, such as process and thread objects, can have security descriptors too. For most securable objects, you can specify an object's security descriptor in the function call that creates the object. For example, you can specify a security descriptor in the CreateFile() and CreateProcess() functions. In addition, the Windows security functions enable you to get and set the security information for securable objects created on operating systems other than Windows. The Windows security functions also provide support for using security descriptors with private, application-defined objects. Each type of securable object defines its own set of specific access rights and its own mapping of generic access rights. The following table shows the functions that can be used to manipulate the security information for some common securable objects.
Securable Object type |
Security Descriptor Functions |
Files or directories on an NTFS file system. |
GetNamedSecurityInfo(), SetNamedSecurityInfo(), GetSecurityInfo(), SetSecurityInfo() |
Named pipes, Anonymous pipes. |
GetSecurityInfo(), SetSecurityInfo() |
Processes, Threads. |
GetSecurityInfo(), SetSecurityInfo() |
File-mapping objects. |
GetNamedSecurityInfo(), SetNamedSecurityInfo(), GetSecurityInfo(), SetSecurityInfo() |
Access tokens. |
SetKernelObjectSecurity(), GetKernelObjectSecurity() |
Window-management objects (window stations and desktops). |
GetSecurityInfo(), SetSecurityInfo() |
Registry keys. |
GetNamedSecurityInfo(), SetNamedSecurityInfo(), GetSecurityInfo(), SetSecurityInfo() |
Windows services. |
GetNamedSecurityInfo(), SetNamedSecurityInfo(), GetSecurityInfo(), SetSecurityInfo() |
Local or remote printers. |
GetNamedSecurityInfo(), SetNamedSecurityInfo(), GetSecurityInfo(), SetSecurityInfo() |
Network shares. |
GetNamedSecurityInfo(), SetNamedSecurityInfo(), GetSecurityInfo(), SetSecurityInfo() |
Interprocess synchronization objects (events, mutexes, semaphores, and waitable timers). |
GetNamedSecurityInfo(), SetNamedSecurityInfo(), GetSecurityInfo(), SetSecurityInfo() |
Job objects. |
GetNamedSecurityInfo(), SetNamedSecurityInfo(), GetSecurityInfo(), SetSecurityInfo() |
Directory service objects. |
These objects are handled by Active Directory Objects. |
Table 5 |
The following figure shows a simple the relationship between securable object (a folder) and security descriptor.