Window Stations and Desktops 3

 

 

Window Station Security and Access Rights

 

Security enables you to control access to window station objects. You can specify a security descriptor for a window station object when you call the CreateWindowStation() function. If you specify NULL, the window station gets a default security descriptor. The ACLs in the default security descriptor for a window station come from the primary or impersonation token of the creator. To get or set the security descriptor of a window station object, call the GetSecurityInfo() and SetSecurityInfo() functions. When you call the OpenWindowStation() function, the system checks the requested access rights against the object's security descriptor. The valid access rights for window station objects include the standard access rights and some object-specific access rights. The following table lists the standard access rights used by all objects.

 

 

 

String Constant (Value)

Meaning

DELETE (0x00010000L)

Required to delete the object.

READ_CONTROL (0x00020000L)

Required to read information in the security descriptor for the object, not including the information in the SACL. To read or write the SACL, you must request the ACCESS_SYSTEM_SECURITY access right.

SYNCHRONIZE (0x00100000L)

Not supported for window station objects.

WRITE_DAC (0x00040000L)

Required to modify the DACL in the security descriptor for the object.

WRITE_OWNER (0x00080000L)

Required to change the owner in the security descriptor for the object.

 

The following table lists the object-specific access rights.

 

Access right

Description

WINSTA_ALL_ACCESS (0x37F)

All possible access rights for the window station.

WINSTA_ACCESSCLIPBOARD (0x0004L)

Required to use the clipboard.

WINSTA_ACCESSGLOBALATOMS (0x0020L)

Required to manipulate global atoms.

WINSTA_CREATEDESKTOP (0x0008L)

Required to create new desktop objects on the window station.

WINSTA_ENUMDESKTOPS (0x0001L)

Required to enumerate existing desktop objects.

WINSTA_ENUMERATE (0x0100L)

Required for the window station to be enumerated.

WINSTA_EXITWINDOWS (0x0040L)

Required to successfully call the ExitWindows() or ExitWindowsEx() function. Window stations can be shared by users and this access type can prevent other users of a window station from logging off the window station owner.

WINSTA_READATTRIBUTES (0x0002L)

Required to read the attributes of a window station object. This attribute includes color settings and other global window station properties.

WINSTA_READSCREEN (0x0200L)

Required to access screen contents.

WINSTA_WRITEATTRIBUTES (0x0010L)

Required to modify the attributes of a window station object. The attributes include color settings and other global window station properties.

 

The following are the generic access rights for the interactive window station object, which is the window station assigned to the logon session of the interactive user.

 

Access right

Description

GENERIC_READ

STANDARD_RIGHTS_READ

WINSTA_ENUMDESKTOPS

WINSTA_ENUMERATE

WINSTA_READATTRIBUTES

WINSTA_READSCREEN

GENERIC_WRITE

STANDARD_RIGHTS_WRITE

WINSTA_ACCESSCLIPBOARD

WINSTA_CREATEDESKTOP

WINSTA_WRITEATTRIBUTES

GENERIC_EXECUTE

STANDARD_RIGHTS_EXECUTE

WINSTA_ACCESSGLOBALATOMS

WINSTA_EXITWINDOWS

GENERIC_ALL

STANDARD_RIGHTS_REQUIRED

WINSTA_ACCESSCLIPBOARD

WINSTA_ACCESSGLOBALATOMS

WINSTA_CREATEDESKTOP

WINSTA_ENUMDESKTOPS

WINSTA_ENUMERATE

WINSTA_EXITWINDOWS

WINSTA_READATTRIBUTES

WINSTA_READSCREEN

WINSTA_WRITEATTRIBUTES

 

The following are the generic access rights for a non-interactive window station object. The system assigns non-interactive window stations to all Logon sessions other than that of the interactive user.

 

 

Access right

Description

GENERIC_READ

STANDARD_RIGHTS_READ

WINSTA_ENUMDESKTOPS

WINSTA_ENUMERATE

WINSTA_READATTRIBUTES

GENERIC_WRITE

STANDARD_RIGHTS_WRITE

WINSTA_ACCESSCLIPBOARD

WINSTA_CREATEDESKTOP

GENERIC_EXECUTE

STANDARD_RIGHTS_EXECUTE

WINSTA_ACCESSGLOBALATOMS

WINSTA_EXITWINDOWS

GENERIC_ALL

STANDARD_RIGHTS_REQUIRED

WINSTA_ACCESSCLIPBOARD

WINSTA_ACCESSGLOBALATOMS

WINSTA_CREATEDESKTOP

WINSTA_ENUMDESKTOPS

WINSTA_ENUMERATE

WINSTA_EXITWINDOWS

WINSTA_READATTRIBUTES

 

You can request the ACCESS_SYSTEM_SECURITY access right to a window station object if you want to read or write the object's SACL.

 

 

 

< Window Station and Desktop 2 | Window Station and Desktop | Win32 Programming | Window Station and Desktop 4 >