Access Token with conflicting SIDs

From: hull.cary@xxxxxxxxx
Date: 7 Dec 2005 12:01:58 -0800

My application is running on an Administrator group account. The
application's access token has 8 SIDs in it including "Everyone" and
"Administrator" and all 8 have the SE_GROUP_MANDATORY attributes set.

The trouble I'm having is trying to get my application to have READ and
WRITE access rights on a registry key that has the following
permissions: Everyone(deny all) and Administrators(Full Control). The
deny all on the Everyone group seems to trump the full control of the
Administrators group.

I know that I can take ownership of the key (being an administrator)
and set the DACL to NULL, thereby giving my application the desired
access. But this strategy would also require me to store the original
DACL so that I would be able to restore the key to it's secured state
when I'm done manipulating the key. Not sure that I like that idea
because it leaves the key vulnerable until I can reset the DACL and if
my app crashes or is terminated by the user or malware the key may be
left unsecure.

My other thought was to modify my application's access token to only
have the administrator's SID in it. My reasoning is that with only the
Admin SID in my access token, the checks against the key's Deny ACE's
(for the Everyone group), at the beginning of its DACL, won't interfer
with my access to the key.

Anyone have any thoughts on how to clear out all the SIDs in my access
token that are hampering me, given that they appear to be mandatory (as
stated in the first paragraph)? Or maybe any better ideas on how to
allow my application to have unfettered access to these secure registry
keys?

.

Follow-Ups:
- Re: Access Token with conflicting SIDs
  - From: Joe Richards [MVP]

Prev by Date: Using Security Descriptors as containers for SIDs
Next by Date: WinHTTP and CRYPT_SILENT
Previous by thread: Using Security Descriptors as containers for SIDs
Next by thread: Re: Access Token with conflicting SIDs
Index(es):
- Date
- Thread

Relevant Pages

Re: Determine if IdentityReference is a Security Group
... a User Allow is placed before a Group Deny. ... suppose I have a DACL which allows user John Doe, ... actually be granted access to read by the DACL. ... expanded list of group SIDs and all of the other built-in SIDs (like ...
(microsoft.public.dotnet.security)
Resolving SIDs to user names
... Usually when I open the security tab of a file or folder the SIDs ... XP client from Domain B, a DC for Domain B next to it ... from Domain B to the DACL, ... file server deliver the SIDs or the names to the client? ...
(microsoft.public.windows.server.active_directory)