Access Token
An Access Token is a data object which contains security credentials for login session.
- Example(s):
- a Primary Token,
- an Impersonation Token,
- …
- Counter-Example(s):
- See: User (Computing), Login Session, Access Control List (ACL), Discretionary Access Control List (DACL), Access Control Entry (ACE), System Access Control List (SACL), Active Directory Service Interface (ADSI).
References
2021
- (Microsoft Ignite, 2021) ⇒ https://docs.microsoft.com/en-gb/windows/win32/secauthz/access-tokens?redirectedfrom=MSDN Retrieved:2021-10-30.
- QUOTE: An access token is an object that describes the security context of a process or thread. The information in a token includes the identity and privileges of the user account associated with the process or thread. When a user logs on, the system verifies the user's password by comparing it with information stored in a security database. If the password is authenticated, the system produces an access token. Every process executed on behalf of this user has a copy of this access token.
The system uses an access token to identify the user when a thread interacts with a securable object or tries to perform a system task that requires privileges. Access tokens contain the following information:
- The security identifier (SID) for the user's account;
- SIDs for the groups of which the user is a member;
- A logon SID that identifies the current logon session;
- A list of the privileges held by either the user or the user's groups;
- An owner SID;
- The SID for the primary group;
- The default DACL that the system uses when the user creates a securable object without specifying a security descriptor;
- The source of the access token;
- Whether the token is a primary or impersonation token;
- An optional list of restricting SIDs;
- Current impersonation levels;
- Other statistics;
- QUOTE: An access token is an object that describes the security context of a process or thread. The information in a token includes the identity and privileges of the user account associated with the process or thread. When a user logs on, the system verifies the user's password by comparing it with information stored in a security database. If the password is authenticated, the system produces an access token. Every process executed on behalf of this user has a copy of this access token.
- Every process has a primary token that describes the security context of the user account associated with the process. By default, the system uses the primary token when a thread of the process interacts with a securable object. Moreover, a thread can impersonate a client account. Impersonation allows the thread to interact with securable objects using the client's security context. A thread that is impersonating a client has both a primary token and an impersonation token.
2020
- (Wikipedia, 2020) ⇒ https://en.wikipedia.org/wiki/Access_token Retrieved:2020-10-2.
- In computer systems, an access token contains the security credentials for a login session and identifies the user, the user's groups, the user's privileges, and, in some cases, a particular application. Typically one may be asked to enter the access token (e.g. 40 random characters) rather than the usual password (it therefore should be kept secret just like a password).
2020
- (Wikipedia, 2020) ⇒ https://en.wikipedia.org/wiki/Access_token#Overview Retrieved:2020-10-2.
- An access token is an object encapsulating the security identity of a process or thread. A token is used to make security decisions and to store tamper-proof information about some system entity. While a token is generally used to represent only security information, it is capable of holding additional free-form data that can be attached while the token is being created. Tokens can be duplicated without special privilege, for example to create a new token with lower levels of access rights to restrict the access of a launched application. An access token is used by Windows when a process or thread tries to interact with objects that have security descriptors (securable objects). In Windows, an access token is represented by the system object of type
Token
.An access token is generated by the logon service when a user logs on to the system and the credentials provided by the user are authenticated against the authentication database. The authentication database contains credential information required to construct the initial token for the logon session, including its user id, primary group id, all other groups it is part of, and other information. The token is attached to the initial process created in the user session and inherited by subsequent processes created by the initial process. Whenever such a process opens a handle to any resource which has access control enabled, Windows reconciles the data in the target object's security descriptor with the contents of the current effective access token. The result of this access check evaluation is an indication of whether any access is allowed and, if so, what operations (read, write/modify, etc.) the calling application is allowed to perform.
- An access token is an object encapsulating the security identity of a process or thread. A token is used to make security decisions and to store tamper-proof information about some system entity. While a token is generally used to represent only security information, it is capable of holding additional free-form data that can be attached while the token is being created. Tokens can be duplicated without special privilege, for example to create a new token with lower levels of access rights to restrict the access of a launched application. An access token is used by Windows when a process or thread tries to interact with objects that have security descriptors (securable objects). In Windows, an access token is represented by the system object of type