Windows includes these
SIDs into tokens based on how or from where the process reached the system. The following
table from TechNet describes each SID.
Chapter 16: Exploiting Windows Access Control Model for Local Elevation of Privilege
407
PART IV
INTERACTIVE
and
REMOTE
INTERACTIVE
A group that includes all users who log on interactively. A user can start an
interactive logon session by logging on directly at the keyboard, by opening a
Remote Desktop connection from a remote computer, or by using a remote
shell such as telnet. In each case, the user??™s access token contains the
Interactive SID. If the user logs on using a Remote Desktop connection, the
user??™s access token also contains the Remote Interactive Logon SID.
NETWORK A group that includes all users who are logged on by means of a network
connection. Access tokens for interactive users do not contain the Network
SID.
SERVICE A group that includes all security principals that have logged on as a service.
BATCH A group that includes all users who have logged on by means of a batch queue
facility, such as task scheduler jobs.
These SIDs end up being very useful to grant intended access while denying undesired
access. For example, during the Windows Server 2003 development cycle,
Microsoft smartly realized that the command-line utility tftp.
Pages:
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726