That means that for access to be granted,
access must be allowed either by an explicit or inherited ACE to one of the restricted
SIDs in the token.
Unfortunately, there isn??™t a lot of really good documentation on how restricted
tokens work. Check the ???References??? section that follows for blogs and MSDN articles.
The idea is that the presence of a restricted SID in the token causes the AccessCheck function
to add an additional pass to the check. Any access that would normally be granted
must also be granted to the restricted token if the process token has any restricted SIDs.
Access will never be broadened by the restricted token check. If the user requests the max
allowed permissions to the HKCU registry hive, the first pass will return Full Control,
but the restricted SIDs check will narrow that access to read-only.
References
Running restricted??”What does the ???protect my computer??? option mean?
http://blogs.msdn.com/aaron_margosis/archive/2004/09/10/227727.aspx
The Access Check http://blogs.msdn.com/larryosterman/archive/2004/09/14/229658.aspx
Tools for Analyzing Access Control
Configurations
With the concept introduction out of the way, we??™re getting closer to the fun stuff. Before
we can get to the attacks, however, we must build up an arsenal of tools capable of
dumping access tokens and security descriptors.
Pages:
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719