1. Windows Access Control

Windows Control Mechanisms for identifying the source of an operation and determine sufficient privileges:

• Security Identifier (SID)
• Access token
• Mandatory Integrity Control
• User Account Control

Security Identifiers (SID):

• Used to identify entities
• Unique value assigned to each entity/principal
• SID for local accounts and groups is generated by Local Security Authority (LSA)
• SID for domain users and domain groups is generated by Domain Controller (DC)
• Is generated when the user or group is created
• Cannot be changed
• Consists of four parts delimited by '-'

S-R-X-Y

S = Indicates that it is a SID
R = Revision. Always set to 1
X = Identifier authority. Eg. 5 for NT Authority
Y = Sub-authorities of identifier authority.

• Domain identifier: SID of the domain, local mahine, or 32 for built-in principals.
• Relative identifier (RID): Determines user and groups.
  Example SID of a local user:

S-1-5-21-1336799502-1441772794-948155058-1001

• The RID here is 1001 and represents the second created local user, starting on 1000
• RID under 1000 are well-known ISDs, eg. generic and built-in groups and users.
• Administrator has RID 500
• Some well known SIDs:

S-1-0-0                       Nobody        
S-1-1-0	                      Everybody
S-1-5-11                      Authenticated Users
S-1-5-18                      Local System
S-1-5-domainidentifier-500    Administrator

Access tokens:

• Once a user is authenticated, Windows generates an access token assigned to that user.
• The token contains various pieces of information that describe the security context (a set of rules).
• Security context consists of:
  • SID of user
  • SID of groups belonging to the user
  • User and group privileges
  • Information about the scope of the token
• When a user starts a process or thread, that object will be assigned a primary token which is a copy of the user token. That tells it what permissions it has interacting with things.
• A thread can also have an impersonation token assigned. It can provide a different security context than the process which owns the thread and its primary token.

Mandatory Integrity Control (MIC)

• Windows uses integrity levels to control access to securable objects.
• Can think of them like hierarchies of trust.
• When processes are started or objects are created, they receive the integrity level of the principal performing the operation.
• An object with a lower integrity level cannot write to an object with a higher level, even if the permissions would normally allow them to do so.
• Four integrity levels of Windows:
  • System: SYSTEM (kernel, ...)
  • High: Elevated users
  • Medium: Standard users
  • Low: very restricted rights often used in sandboxed[^privesc_win_sandbox] processes or for directories storing temporary data
• Integrity levels can be displayed for processes using Process Explorer, for current user with 'whoami /groups', and for files with 'icacls'.

User Account Control (UAC):

• Windows security feature that protects operating system by running most applications and tasks with standard user privileges, even if they are run by Administrator user.
• An Administrator will therefore have a filtered admin token used to perform all non-privileged operations.
• To leverage the regular administrator token a UAC consent prompt needs to be confirmed.