What is an Access Token?

What is an Access Token?

An access token in Windows is a key component of the security model. It represents the security context of a user or process, and it’s used by the system to determine access rights to resources such as files, registry keys, services, or other protected objects.

When and How Is It Created?

  • When a user logs on to a Windows system (via interactive login, remote login, etc.), the Winlogon service works with the Local Security Authority Subsystem Service (LSASS) to verify the user’s credentials.
  • Once authenticated, LSASS creates an access token for the user.
  • Every process started by the user inherits this token or a copy of it.

What Does an Access Token Contain?

An access token typically includes the following information:

  • User SID (Security Identifier): A unique ID that identifies the user.
  • Group SIDs: Identifiers for the groups the user is a member of.
  • User privileges: Specific rights assigned to the user, such as the ability to shut down the system or debug programs.
  • Default DACL (Discretionary Access Control List): Determines the default permissions for objects created by the user.
  • Token type: Indicates whether the token is a primary token or an impersonation token.
  • Session ID: Identifies the user’s session.
  • Restricted SIDs: A list used to limit the token’s access, typically for sandboxing.

Types of Access Tokens

Primary Token:
Associated with a process. It defines the default security context for all threads in that process.

Impersonation Token:
Used by a thread to temporarily adopt a different user’s security context, usually for the purpose of accessing resources on their behalf.

Impersonation and Delegation

  • Impersonation allows a thread to act as another user for local resource access.
  • Delegation extends impersonation by allowing the security context to be passed to other computers, typically used in Kerberos-based authentication within domains.

Why Are Access Tokens Important?

  • Security Enforcement: Every time a process attempts to access a resource, Windows checks its access token against the resource’s Access Control List (ACL).
  • Privilege Separation: Access tokens enable the operating system to enforce least privilege, meaning even administrators can run programs with reduced rights unless elevated.
  • Audit and Accountability: Access tokens allow the system to associate actions with specific users, helping track activity for auditing and forensic purposes.

Example Scenario

  1. A user logs in to the system.
  2. Windows verifies their credentials.
  3. An access token is created.
  4. Any process started by the user carries a copy of this token.
  5. If a process tries to open a file, the system checks:
    • Whether the user SID or group SIDs in the token match entries in the file’s ACL.
    • Whether the required permissions are granted.
Tags: , , , , , , , , , , , ,