Re: Access Token with conflicting SIDs

You really should read up on Windows Access Control in MSDN.

Start here

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/access_control_lists.asp


Basically deny overrides grant. If you have inheritance going on this gets a little trickier. An inherited deny can be overridden by an inherited grant that is applied lower in the hierarchy or by an explicit grant. An explicit deny can not be overridden.

You could play with your token but I have doubts on how successful you will be trying to remove everyone.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


hull.cary@xxxxxxxxx wrote: 
My application is running on an Administrator group account. The
application's access token has 8 SIDs in it including "Everyone" and
"Administrator" and all 8 have the SE_GROUP_MANDATORY attributes set.

The trouble I'm having is trying to get my application to have READ and
WRITE access rights on a registry key that has the following
permissions: Everyone(deny all) and Administrators(Full Control). The
deny all on the Everyone group seems to trump the full control of the
Administrators group.

I know that I can take ownership of the key (being an administrator)
and set the DACL to NULL, thereby giving my application the desired
access. But this strategy would also require me to store the original
DACL so that I would be able to restore the key to it's secured state
when I'm done manipulating the key. Not sure that I like that idea
because it leaves the key vulnerable until I can reset the DACL and if
my app crashes or is terminated by the user or malware the key may be
left unsecure.

My other thought was to modify my application's access token to only
have the administrator's SID in it. My reasoning is that with only the
Admin SID in my access token, the checks against the key's Deny ACE's
(for the Everyone group), at the beginning of its DACL, won't interfer
with my access to the key.

Anyone have any thoughts on how to clear out all the SIDs in my access
token that are hampering me, given that they appear to be mandatory (as
stated in the first paragraph)? Or maybe any better ideas on how to
allow my application to have unfettered access to these secure registry
keys?

.

Relevant Pages

  • Re: do allowed perrmisions override denyed permissions?
    ... with only grant permissions. ... We have always had sym diff (grant to A, deny to B where ... when the handling of inheritance was changed and how the info was ... | Explicit Grant ACEs for Object | ...
    (microsoft.public.windows.server.security)
  • Re: do allowed perrmisions override denyed permissions?
    ... with only grant permissions. ... We have always had sym diff (grant to A, deny to B where ... | Explicit Grant ACEs for Object | ... to sort that out is with hierarchical precedence of the inheritance ...
    (microsoft.public.windows.server.security)
  • Re: do allowed perrmisions override denyed permissions?
    ... We have always had sym diff (grant to A, deny to B where ... some of B is in A), and we have always had union (grant to ... the handling of inheritance was changed and how the info was written to ... | Explicit Grant ACEs for Object | ...
    (microsoft.public.windows.server.security)
  • Re: do allowed perrmisions override denyed permissions?
    ... We have always had sym diff (grant to A, deny to B where ... some of B is in A), and we have always had union (grant to ... | Explicit Grant ACEs for Object | ... The only way to sort that out is with hierarchical precedence of the inheritance which is represented by the ordering of the ACEs in the ACL. ...
    (microsoft.public.windows.server.security)
  • Re: do allowed perrmisions override denyed permissions?
    ... We have always had sym diff (grant to A, deny to B where ... some of B is in A), and we have always had union (grant to ... | Explicit Grant ACEs for Object | ... to sort that out is with hierarchical precedence of the inheritance ...
    (microsoft.public.windows.server.security)
Loading