What is this thing called, SID?

Moving a file does not recalculate inherited permissions

The Old New Thing — Thu, 24 Aug 2006 17:00:23 GMT

Inherited permissions are established at creation.

What are the access rights and privileges that control changing ownership of an object?

The Old New Thing — Thu, 18 Aug 2005 17:00:14 GMT

It's a complicated mix.

Breaking the Holy Law: Browsing the Web as administrator?

Scupper Mumblings — Tue, 18 Jan 2005 21:53:00 GMT

Security Developer Center: Columns: Browsing the Web and Reading E-mail Safely as an Administrator Part 1 ">Part 2 I got the heads up to this pair of MSDN articles by Microsoft Security Engineering Michael Howard off the activedir list and...

A bit on SIDs....

Eric Fleischman's WebLog — Tue, 05 Oct 2004 02:59:00 GMT

Running restricted -- What does the

Aaron Margosis' WebLog — Fri, 10 Sep 2004 07:10:00 GMT

What does it mean to

re: What is this thing called, SID?

Aaron Margosis — Fri, 10 Sep 2004 04:09:00 GMT

It's posted. http://blogs.msdn.com/aaron_margosis/archive/2004/09/10/227727.aspx

re: What is this thing called, SID?

Aaron Margosis — Sat, 04 Sep 2004 00:39:00 GMT

The best published description of restricted tokens that I've read is in Keith Brown's "Programming Windows Security". He doesn't cover the "protect my computer" option, though, because his book predated Windows XP, which is where that option was introduced. Solomon and Russinovich's upcoming "Windows Internals" book will have great info on it.

I am planning a post on the "protect my computer" option, focusing more on the effects perceived by the end user than about how the underlying access checks actually work. Real Soon Now.

It takes more than a couple of paragraphs to accurately describe how an access check is performed against a non-restricted SID, when you take into account deny-only and disabled SIDs. The important part is that an access check compares the union of the user's identity and the list of groups the user is a member of against the ACL of interest. With a restricted token, the access check performs two passes. The first compares the union of the user's identity and the groups against the ACL; the second test compares only the SIDs in the token's "restricting SIDs" list against the ACL. The result of the access check is essentially the intersection of the results. If the first pass grants you "full control" and the second pass grants you "read only", then you get "read only". If either test fails to grant you any access, you get no access. Although it is legal for the restricting SIDs list to include the user account's SID, the restricted token created by "protect my computer" does not. Therefore, if you're running with a "protect my computer" restricted token, you do not get access to anything that is ACLed for you only. The object needs to grant access to something else that allows the second pass to succeed. The reason that most of HKCU gives you read-only access is because "RESTRICTED" is granted read-only. (Like the example above: first pass gives you "full", second pass gives you "read", you get "read".) The NTFS permissions on your profile folder hierarchy does not grant RESTRICTED anything, so you can't access your profile folder when running with a "protect my computer" restricted token. (The reason you CAN access HKCU, which lives in a file in your profile, is because you're not accessing it directly through NTFS - if I'm not mistaken your HKCU hive is loaded by code running as System.)

As Pavel indicated, "restricting SIDs" and "deny-only SIDs" are completely different. "Restricting SIDs" are really misnamed, since the more SIDs you add to the list in a restricted token, the more you're granting access, not denying access.

I'll try to get that thing posted - sorry for the delay!

re: What is this thing called, SID?

David Candy — Fri, 03 Sep 2004 03:38:00 GMT

Apparantly http://blogs.msdn.com/aaron_margosis as been promising to talk about this for a while.

I sent him a message to remind him.

re: What is this thing called, SID?

Pavel Lebedinsky — Fri, 03 Sep 2004 03:31:00 GMT

I'm using pview from Platform SDK (Program Files\Microsoft SDK\Bin\winnt). It is definitely more recent than NT4 - in fact, the version number is 5.2.3790.0 which is Win2K3.

NT4 version probably doesn't show restricting SIDs anyway as I believe this feature was introduced in Win2K.

I believe that the reason why "protect my computer" feature doesn't get more coverage is because it's not really secure. For example, I don't think it can prevent malicious code from sending window messages to other programs running as the user (a "shatter"-style attack).

I still occasionally run IE in restricted mode but I definitely don't count on it as my only protection.

re: What is this thing called, SID?

David Candy — Fri, 03 Sep 2004 01:06:00 GMT

Only the NT4 version of Pview has a button for token and that is greyed out. All the other pview/pviewer (Pview now was pviewer in NT4)are of a different style (XP support tools/MSDN 7.1(whatever that is)/VS6) and only show memory stats.

I'll have to find a CD with the sdk on it (I only have filed CDs I got 5 years ago - I gave up filing then - so I know exactly where 1998 sdk cd is but not any more recent). But that makes some sense what you are saying.

This page will end up as the definitive documentation on this feature. But I can't believe MS built in a prominent GUI feature without any reference mention of it anywhere and a wrong article about how good it is.

Larry will end up being known as the "Protect My Computer" king.