So, in this step, regardless of
whether an inherited ACE denies or does not deny, we move on to the next phase.
Check Allow ACEs With the inherited and explicit deny ACEs checked, the
AccessCheck function moves on to the allow ACEs. If every portion of the desiredAccess
flag is not granted to the user SID or group SIDs in the access token, the request is
denied. If each bit of the desired access is allowed, this request moves on to the next
phase.
Figure 16-7 AccessCheck flowchart
Gray Hat Hacking: The Ethical Hacker??™s Handbook
400
Check for Presence of Restricted Tokens Even if all the access has been
granted through explicit or inherited ACEs, the AccessCheck function still needs to
check for restricted SIDs in the token. If we??™ve gotten this far and there are no restricted
tokens in the SID, access is granted. The AccessCheck function will return a nonzero
value and will set the passed-in access mask to the granted result. If any restricted SIDs
are present in the token, the AccessCheck function needs to first check those before
granting or denying access.
Check Restricted SIDs Access Rights With restricted SIDs in the token, the
same allow ACE check made earlier is made again. This time, only the restricted SIDs
present in the token are used in the evaluation.
Pages:
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718