This isolation is created
with LOGON SIDs. Each session is given a unique LOGON SID in its token allowing
Windows to limit access to objects to only processes and threads having the same
LOGON SID in the token. You can see earlier in the chapter that Figures 16-1, 16-9, and
16-11 each were screenshots from a different logon session because they each display a
different logon SID (S-1-5-5-0-62700, S-1-5-5-0-65057, and S-1-5-5-0-13131582).
Special Access
There are a couple DACL special cases you need to know about before you start
attacking.
Rights of Ownership
An object??™s owner can always open the object for READ_CONTROL and WRITE_DAC
(the right to modify the object??™s DACL). So even if the DACL has deny ACEs, the owner
can always open the object for READ_CONTROL and WRITE_DAC. This means that
anyone who is the object??™s owner or who has the SeTakeOwnership privilege or the
WriteOwner permission on an object can always acquire Full Control of an object.
Here??™s how:
??? The SeTakeOwnership privilege implies WriteOwner permission.
??? WriteOwner means you can set the Owner field to yourself or to any entity who
can become an owner.
??? An object??™s owner always has the WRITE_DAC permission.
??? WRITE_DAC can be used to set the DACL to grant Full Control to the new
owner.
Pages:
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728