You should also note that almost any action that you thing of as being 'administrators only’ can be delegated to any security principle. That is the whole point of using an ACL instead of checking for a specific group. (like builtin\administrators)
Windows has convenient ready to go functions to create and check ACLs and usually you only need to specify which one you want and Windows does the rest
Sent from Surface Pro
From: Scott Noone
Sent: Tuesday, March 17, 2015 9:13 AM
To: Windows System Software Devs Interest List
Individual privileges can be assigned to any user, there is no privilege
that says “this is an admin”. That’s what the SIDs in the Token are for,
they indicate the user and member groups of the process’ creator. As Max
noted, SeTokenIsAdmin tells you if the Token contains the SID for the local
administrators group. You could also roll your own equivalent (or
additional) functionality by calling SeQueryInformationToken.
And if I want to use SeSinglePrivilegeCheck function is there any privilege
to determine whether it’s admin process or not? Or maybe I have to use e.g.
SE_TAKE_OWNERSHIP_PRIVILEGE?
I am surprised that you identify a subtle issue with the semantics of the call without pointing out that any check for security that looks only at a specific token is broken as designed. It takes less effort to program an ACL than to restrict an action to administrators and it is infinitely less flexible. Bugs in the OS notwithstanding, it is also more secure in an enterprise environment and makes little difference on a consumer device
Sent from Surface Pro
From: xxxxx@videotron.ca
Sent: Tuesday, March 24, 2015 7:49 PM
To: Windows System Software Devs Interest List
Be very careful with SeTokenIsAdmin… until March 2015, the Windows 7 and down-level version of this function has a subtle security issue: it does not properly validate if the token is an impersonation token or not – it is therefore the responsibility of the caller to check this before calling the function. 12 different vulnerable pieces of kernel code have already been fixed in the last 3-4 months to deal with this – don’t let your driver become part of the problem
SeSinglePrivilegeCheck does not have this issue, but is obviously meant for different uses.
