Windows Security Wiki

A useful summary about Windows Security.

Introduction

Normally when implementing an application you do not need to care about security concepts present in Windows. But from time to time you may need to implement something where the security is involved.

E.g. you want to implement a windows service that shall interact with desktop applications using 'Event Wait Handles' and 'Shared Memory'.

You deal with concepts like 'Process Integrity Level' and 'Process Sessions'. Eventually you have a working application and everything is fine (on your Windows 7) until you decide to run it on Windows 8 or Windows Server 2012. And this is where the real "fun" starts ;-). Difficult terminology, poor google results and nobody answers your questions on IT forums.

This article is a short wiki I collected during my investigations. I think it could be useful for you too.

Windows Security Model

The biggest problem in the security topic is difficult terminology (many abbreviations) and not easy to understand how things are related to each other.

Therefore here is a model showing relations between most common terms:

Terms and Abbreviations Summary

• Securable Objects - files, folders, pipes, processes, threads, registry keys, printers, semaphores, event wait handles, ... and other objects that can be protected from unauthorized access.
• Security Descriptor - specifies security information about the object. I.e. it identifies the object owner SID, the primary group SID and most importantly SACL and DACL lists.
• SID - Security Identifier. It can identify user, group and computer accounts. SID is generated when the account is created. Windows internally refers to SIDs and not to user or account names.
• ACL - Access Control List. It is a list of protections specified for the object. ACL can be SACL or DACL. The entry of the list is called ACE.
• ACE - Access Control Entry. The entry of the ACL list. It specifies the access rights and to whom are these rights granted, denied or audited (logged).
• DACL - Discretionary Access Control List. It controls access to the object. It specifies to whom the access is allowed and to whom denied. The content of DACL is controlled by the owner of the security object.
  If the object does not have any DACL the full access to everyone is allowed.
  If the object has empty DACL nobody has the access.
  DACL can have following entries:
• Access Allowed ACE - the item in the DACL which specifies who is allowed to access the object. It consists of:
• Trustee SID - identifies user, group or computer account to whom the access is granted.
• Access Mask - identifies what access is allowed. E.g. read, write, execute.
• Access Denied ACE - the item in the DACL which specifies to whom the access is denied. E.g. you may need this rule if the access is granted to a group but you want to deny one user from that group. It consists of:
• Trustee SID - identifies user, group or computer account to whom the access is denied.
• Access Mask - identifies what access is denied. E.g. write, execute.
• SACL - System Access Control List. It controls two things: auditing rules (how access to objects is recorded in the security log) and integrity level of the object (what is the minimal "trust" level needed to access the object). The content of the SACL is controlled by security administrators for the local system. These are users who have been assigned the 'Manage Auditing and Security Log' privilege (SeSecurityPrivilege).
  SACL can have following entries:
• Audit ACE - identifies the rule for auditing to the security log.
• Header - specifies if the auditing occurs by success, failure or both when somebody accessed the object.
• Trustee SID - identifies user, group or computer account that shall be monitored.
• Access Mask - lists operations to audit.
• Mandatory Label ACE - identifies the minimal integrity level to access the object. E.g. object with medium integrity level cannot be accessed by object with low integrity. It consists of:
• Integrity Level SID - SID of the integrity level.
• Mask - defines restrictions on the access permissions that apply to processes with lower integrity level.
• Logon Session - context of the user during the logon time.
• Access Token - describes the security context of a process or thread. The access token is created when the user is logged on. Every process executed on behalf of the user will get the copy of user's access token. If the process (or thread) wants to access a securable object the access token will be compared with the security descriptor of that object to determine if the process (or thread) can access it.
  It consists of:
• User SID - identifies the user.
• Group SIDs - list of user's groups.
• Integrity Level SID - integrity level of the process.
• Privileges - user's privileges.
• Primary Token - describes the security context of the user account associated with the process. Every process has a primary token.
• Impersonation Token - describes the security context of a client process. Impersonation allows a thread to interact with securable objects with another (client) security context. A thread that is impersonating a client has both a primary token and an impersonation token.
• Integrity Level - specifies a level of trust. There are four integrity levels: low, medium, high and system. The integrity level stored in the securable object specifies what is the minimal integrity level required from a process to access the object. If the level is lower the access is denied independently from access rules specified in DACL.
• SDDL - Security Descriptor Definition Language. It allows to define ACEs and SIDs as a text.
  E.g. this is how you can define that the process with lower than medium integrity is not allowed to get write access rights:
  S:(ML;;NW;;;ME).
• S - means SACL
• ML - means Mandatory Label
• NW - means NO_WRITE_UP policy.
• ME - means medium integrity level.

Integrity Level Check

When you read technical articles it is not really clear how checking of the integrity level works together with checking of access rights. Here is the sequence:

1. Windows reads the access token and gets the integrity level of the process.
2. Integrity level of the process is compared with the integrity level of requested object (stored in the Mandatory Label ACE).
3. If the integrity level of the process is equal or higher than the integrity level of the secured object the access rights from DACL will be checked.
   If the integrity level of the process is lower than the integrity level of the secured object the access is denied (regardless of what is in DACL).
4. If access rights from DACL are ok the access is granted.

For more details about integrity level read: Mandatory integrity control in Windows Vista.

Useful References:

• What Are Access Tokens?
• What Are Security Descriptors and Access Control Lists?
• How Security Descriptors and Access Control Lists Work
• What is the Windows Integrity Mechanism?
• Windows Integrity Mechanism Design
• Mandatory integrity control in Windows Vista
• Interaction Between Threads and Securable Objects
• How AccessCheck Works
• Null DACLs and Empty DACLs
• Security Descriptor Definition Language
• Appendix A: SDDL for Mandatory Labels
• User and computer accounts
• Security Glossary