Windows Privileges and Integrity Levels

  • Privileges = permissions of a specific account to perform system-related local operations
    • modifying the filesystem
    • adding users
    • shutting down the system
    • etc.
  • How this concept of privileges is manifested
    • Access Token Objects
      • Once a user is authenticated, Windows generates an access token object that is assigned to that user.
      • The token itself contains various pieces of information that effectively describe the security context of a given user, including the user privileges.
    • Security Identifiers aka. SIDs
      • The objects (like tokens, group, or user accounts) are uniquely identifiable using the security identifier or SID
      • These SIDs are generated and maintained by the Windows Local Security Authority
    • Integrity Mechanism
      • assign one of the four integrity levels to application processes and securable objects
        • System: SYSTEM rights
        • High: administrative rights
        • Medium: standard user rights
        • Low: very restricted rights (often used in sandboxed processes)
      • these describe the level of trust the operating system has in running applications or securable objects
        • E.g.: the configured integrity level dictates what actions an application can perform, including the ability to read from or write to the local file system. APIs can also be blocked from specific integrity levels.

Relevant Note(s): Windows Basics Privilege Escalation