Library

Access token

Share on Facebook Share on Twitter Email
Computer Desktop Encyclopedia:

access token

Top
Home > Library > Technology > Computer Encyclopedia

In Windows, an internal security card that is generated when users log in. It contains the security IDs (SIDs) for the user and all the groups the user belongs to. A copy of the access token is assigned to every process launched by the user.

Download Computer Desktop Encyclopedia to your PC, iPhone or Android.

Wikipedia on Answers.com:

Access token

Top
Home > Library > Miscellaneous > Wikipedia
This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. (August 2010)

In Microsoft Windows operating systems, an access token contains the security information for a login session and identifies the user, the user's groups, and the user's privileges.

Contents

Overview

An access token is an object encapsulating the security descriptor of a process.[1] Attached to a process, a security descriptor identifies the owner of the object (in this case, the process) and ACLs that specify access rights allowed or denied to the owner of the object.[2][3] While a token is used to represent only the security information, it is technically free-form and can enclose any data. The access token is used by Windows when the process or thread tries to interact with objects whose security descriptors enforce access control (securable objects).[1] An access token is represented by the system object of type Token. Because a token is a regular system object, access to a token itself can be controlled by attaching a security descriptor, but it is generally never done in practice.

The access token is generated by the logon service when a user logs on to the system and the credentials provided by the user are authenticated against the authentication database, by specifying the rights the user has in the security descriptor enclosed by the token. The token is attached to every process created by the user session (processes whose owner is the user).[1] Whenever such a process accesses any resource which has access control enabled, Windows looks up in the security descriptor in the access token whether the user owning the process is eligible to access the data, and if so, what operations (read, write/modify, etc.) the user is allowed to do. If the accessing operation is allowed in the context of the user, Windows allows the process to continue with the operation, else it is denied access.

Types of tokens

There are two types of tokens:

Primary token
Primary tokens can only be associated to processes, and they represent a process's security subject. The creation of primary tokens and their association to processes are both privileged operations, requiring two different privileges in the name of privilege separation - the typical scenario sees the authentication service creating the token, and a logon service associating it to the user's operating system shell. Processes initially inherit a copy of the parent process's primary token. Impersonation tokens can only be associated to threads, and they represent a client process's security subject. Impersonation tokens are usually created and associated to the current thread implicitly, by IPC mechanisms such as DCE RPC, DDE and named pipes.
Impersonation token
Impersonation is a security concept unique to Windows NT, that allows a server application to temporarily "be" the client in terms of access to secure objects. Impersonation has three possible levels: identification, letting the server inspect the client's identity, impersonation, letting the server act on behalf of the client, and delegation, same as impersonation but extended to remote systems to which the server connects (through the preservation of credentials). The client can choose the maximum impersonation level (if any) available to the server as a connection parameter. Delegation and impersonation are privileged operations (impersonation initially wasn't, but historical carelessness in the implementation of client APIs failing to restrict the default level to "identification", letting an unprivileged server impersonate an unwilling privileged client, called for it).

Contents of a token

A token is composed of various fields, including but not limited to:

  • an identifier.
  • the identifier of the associated logon session. The session is maintained by the authentication service, and is populated by the authentication packages with a collection of all the information (credentials) the user provided when logging in. Credentials are used to access remote systems without the need for the user to re-authenticate (single sign-on), provided that all the systems involved share an authentication authority (e.g. a Kerberos ticket server)
  • the user identifier. This field is the most important and it's strictly read-only.
  • the identifiers of groups the user (or, more precisely, the subject) is part of. Group identifiers cannot be deleted, but they can be disabled. At most one of the groups is designated as the session id, a volatile group representing the logon session, allowing access to volatile objects associated to the session, such as the display.
  • the restricting group identifiers (optional). This additional set of groups doesn't grant additional access, but further restricts it: access to an object is only allowed if it's allowed also to one of these groups. Restricting groups cannot be deleted nor disabled. Restricting groups are a recent addition, and they are used in the implementation of sandboxes.
  • the privileges, i.e. special capabilities the user has. Most privileges are disabled by default, to prevent damage from non-security-conscious programs. Starting in Windows XP Service Pack 2 and Windows Server 2003 privileges can be permanently removed from a token by a call to AdjustTokenPrivileges() with the SE_PRIVILEGE_REMOVED attribute.
  • the default owner, primary group and ACL for objects created by the subject associated to the token.

References

  1. ^ a b c "Access Tokens". MSDN. http://msdn2.microsoft.com/en-us/library/Aa374909.aspx. Retrieved 2007-10-08. 
  2. ^ "Security Descriptors". http://msdn2.microsoft.com/en-us/library/aa379563.aspx. Retrieved 2007-10-08. 
  3. ^ "Securable Objects". http://msdn2.microsoft.com/en-us/library/aa379557.aspx. Retrieved 2007-10-08. 

This entry is from Wikipedia, the leading user-contributed encyclopedia. It may not have been reviewed by professional editors (see full disclaimer)

Related answers

How do you access MS access from C? Read answer...
Who generates the token in token ring? Read answer...
What is token? Read answer...
What is a token? Read answer...

Help us answer these

Do all processes in windows xp require an access token?
Is token passing access method used in broadcast?
token ring network is based on which media access technique?
As a security principle Why do tokens that grant access have to have expiration?

Post a question - any question - to the WikiAnswers community:

Copyrights:

Cite
Computer Desktop Encyclopedia THIS DEFINITION IS FOR PERSONAL USE ONLY.
All other reproduction is strictly prohibited without permission from the publisher.
© 1981-2012 The Computer Language Company Inc.  All rights reserved. Read more
Cite
Wikipedia on Answers.com This article is licensed under the Creative Commons Attribution/Share-Alike License. It uses material from the Wikipedia article Access token. Read more

Related answers

When is a user's access token generated?
Which access method is used in Token Ring?
What is token based media access?
What is tokens as in token ring networks?
» More

Answer these

What is included in an access token?
How does a host token ring gain access?
Why token passes a control access procedure?
All processes in Windows XP require an access token?
» more

Featured guides

» More

Mentioned in

token ring network (technology)
SID (technology)
PC network (technology)
authentication server (technology)
token bus network (technology)
» More