Window Station Security and Access Rights
Security enables you to control access to window station objects. You can specify a security descriptor for a window station object when you call the CreateWindowStation() function. If you specify NULL, the window station gets a default security descriptor. The ACLs in the default security descriptor for a window station come from the primary or impersonation token of the creator. To get or set the security descriptor of a window station object, call the GetSecurityInfo() and SetSecurityInfo() functions. When you call the OpenWindowStation() function, the system checks the requested access rights against the object's security descriptor. The valid access rights for window station objects include the standard access rights and some object-specific access rights. The following table lists the standard access rights used by all objects.
String Constant (Value) |
Meaning |
DELETE (0x00010000L) |
Required to delete the object. |
READ_CONTROL (0x00020000L) |
Required to read information in the security descriptor for the object, not including the information in the SACL. To read or write the SACL, you must request the ACCESS_SYSTEM_SECURITY access right. |
SYNCHRONIZE (0x00100000L) |
Not supported for window station objects. |
WRITE_DAC (0x00040000L) |
Required to modify the DACL in the security descriptor for the object. |
WRITE_OWNER (0x00080000L) |
Required to change the owner in the security descriptor for the object. |
The following table lists the object-specific access rights.
Access right |
Description |
WINSTA_ALL_ACCESS (0x37F) |
All possible access rights for the window station. |
WINSTA_ACCESSCLIPBOARD (0x0004L) |
Required to use the clipboard. |
WINSTA_ACCESSGLOBALATOMS (0x0020L) |
Required to manipulate global atoms. |
WINSTA_CREATEDESKTOP (0x0008L) |
Required to create new desktop objects on the window station. |
WINSTA_ENUMDESKTOPS (0x0001L) |
Required to enumerate existing desktop objects. |
WINSTA_ENUMERATE (0x0100L) |
Required for the window station to be enumerated. |
WINSTA_EXITWINDOWS (0x0040L) |
Required to successfully call the ExitWindows() or ExitWindowsEx() function. Window stations can be shared by users and this access type can prevent other users of a window station from logging off the window station owner. |
WINSTA_READATTRIBUTES (0x0002L) |
Required to read the attributes of a window station object. This attribute includes color settings and other global window station properties. |
WINSTA_READSCREEN (0x0200L) |
Required to access screen contents. |
WINSTA_WRITEATTRIBUTES (0x0010L) |
Required to modify the attributes of a window station object. The attributes include color settings and other global window station properties. |
The following are the generic access rights for the interactive window station object, which is the window station assigned to the logon session of the interactive user.
Access right |
Description |
GENERIC_READ |
STANDARD_RIGHTS_READ WINSTA_ENUMDESKTOPS WINSTA_ENUMERATE WINSTA_READATTRIBUTES WINSTA_READSCREEN |
GENERIC_WRITE |
STANDARD_RIGHTS_WRITE WINSTA_ACCESSCLIPBOARD WINSTA_CREATEDESKTOP WINSTA_WRITEATTRIBUTES |
GENERIC_EXECUTE |
STANDARD_RIGHTS_EXECUTE WINSTA_ACCESSGLOBALATOMS WINSTA_EXITWINDOWS |
GENERIC_ALL |
STANDARD_RIGHTS_REQUIRED WINSTA_ACCESSCLIPBOARD WINSTA_ACCESSGLOBALATOMS WINSTA_CREATEDESKTOP WINSTA_ENUMDESKTOPS WINSTA_ENUMERATE WINSTA_EXITWINDOWS WINSTA_READATTRIBUTES WINSTA_READSCREEN WINSTA_WRITEATTRIBUTES |
The following are the generic access rights for a non-interactive window station object. The system assigns non-interactive window stations to all Logon sessions other than that of the interactive user.
Access right |
Description |
GENERIC_READ |
STANDARD_RIGHTS_READ WINSTA_ENUMDESKTOPS WINSTA_ENUMERATE WINSTA_READATTRIBUTES |
GENERIC_WRITE |
STANDARD_RIGHTS_WRITE WINSTA_ACCESSCLIPBOARD WINSTA_CREATEDESKTOP |
GENERIC_EXECUTE |
STANDARD_RIGHTS_EXECUTE WINSTA_ACCESSGLOBALATOMS WINSTA_EXITWINDOWS |
GENERIC_ALL |
STANDARD_RIGHTS_REQUIRED WINSTA_ACCESSCLIPBOARD WINSTA_ACCESSGLOBALATOMS WINSTA_CREATEDESKTOP WINSTA_ENUMDESKTOPS WINSTA_ENUMERATE WINSTA_EXITWINDOWS WINSTA_READATTRIBUTES |
You can request the ACCESS_SYSTEM_SECURITY access right to a window station object if you want to read or write the object's SACL.