共用方式為


Access Tokens Tools and Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Access Tokens Tools and Settings

In this section

  • Access Tokens Tools

  • Access Tokens Registry Entries

  • Access Tokens Group Policy Settings

  • Access Tokens WMI Classes

Access Tokens Tools

The following tools are associated with access tokens.

Dsa.msc: Active Directory Users and Computers

Category

Active Directory Users and Computers is a Microsoft Management Console (MMC) snap-in that is installed automatically when you install Active Directory. This tool also ships with the Administration Tools Pack (Adminpak.msi).

You can access the tool from the Start menu: Click Start, then click Programs,then click Administrative Tools,and then click Active Directory Users and Computers.

Version Compatibility

Active Directory Users and Computers runs on domain controllers that are running Windows Server 2003 and Windows 2000. In both of these server systems, MMC provides a window in the user interface where you can add, configure, and control items. Active Directory Users and Computers is the MMC snap-in that you can use to administer and publish information in the directory.

The Windows Server 2003 version of Active Directory Users and Computers can target domain controllers that are running Windows Server 2003 or Windows 2000.

On administrative workstations that are running Windows XP Professional or Windows 2000, you can install the Windows Server 2003 Administration Tools Pack (Adminpak.msi) from the i386 directory on the Windows Server 2003 CD. This version of the Administration Tools Pack encrypts and signs LDAP traffic between the administrative tool clients and domain controllers.

Note

  • You cannot run the Microsoft Windows Server 2003 Administration Tools Pack (Adminpak.msi) on a computer that is running Windows XP Professional, Windows XP Home Edition, or Windows XP 64-Bit Edition Version 2003 without Windows XP Service Pack 1 (SP1).

You can manage the following objects and their associated properties with this tool, which in turn will affect access tokens created for these objects.

Active Directory Users and Computers Object Management

Object Type Changes That Affect Access Tokens

User objects

Configure user or service account for delegation.

Computer objects

Configure computer account for delegation. This will affect services running under the local System account.

To find more information about Active Directory Users and Computers, see Windows Server 2003 Tools Help in the Tools and Settings Collection.

Ntrights.exe: Ntrights

Category

Ntrights is included in the Windows Server 2003 Resource Kit and the Windows 2000 Resource Kit.

Version compatibility

Ntrights is supported for Windows Server 2003, Windows XP Professional, and Windows 2000.

Ntrights is a command-line tool that enables you to assign or revoke a right for a user or group of users on a local or remote computer. You can also place an entry that notes the change in the event log of the computer.

Ntrights is useful in unattended or automated installations during which you might want to change the default rights. You can also use the tool in situations where you need to change a right in an existing installation, but you cannot access and log on to all computers.

To find more information about Ntrights, see Windows Server 2003 Resource Kit Tools Help in the Tools and Settings Collection.

Services.msc: Services

Category

Services is a Microsoft Management Console (MMC) snap-in that is automatically installed when you install Windows Server 2003. There are two ways to access the tool:

  • Click Start, then click Programs,then click Administrative Tools,and then click Services.

Or,

  • Right-click My Computer, and then click Manage.
Version compatibility

Services runs on systems that are running Windows Server 2003, Windows XP, and Windows 2000.

Services can configure the security context of services that impact access tokens. Services affects access tokens when you use it to:

  • Manage the services on your computer.

  • Set up recovery actions to take place if a service fails.

  • Create custom names and descriptions for services so you can easily identify them.

To find more information about Services, see Windows Server 2003 Tools Help in the Tools and Settings Collection.

Showpriv.exe: Show Privilege

Category

Show Privilege is included in the Windows Server 2003 Resource Kit and the Windows 2000 Resource Kit.

Version Compatibility

Show Privilege is supported for Windows Server 2003, Windows XP Professional, and Windows 2000.

Show Privilege is a command-line tool that displays the rights assigned to users and groups. The tool must be run locally on the target computer. To display users and groups that have domain privileges, Show Privilege must be run on a domain controller. The following table shows the privileges specific to access tokens.

Access Token Privileges

Privilege Name Equivalent Security Policy User Right Setting Description

SeCreateTokenPrivilege

Create a token object

Allows a process to create an access token.

SeAssignPrimaryTokenPrivilege

Replace a process-level token

Allows a process that has this privilege to replace the access token associated with a process.

SeImpersonatePrivilege

Impersonate a client after authentication

Allows a process to impersonate.

To find more information about Show Privilege, see Windows Server 2003 Resource Kit Tools Help in the Tools and Settings Collection.

Whoami.exe: Whoami

Category

Whoami is a command-line tool included in the Windows Server 2003 family. The tool is also included in the Windows 2000 Resource Kit.

Version Compatibility

Whoami is supported for Windows Server 2003 and Windows 2000.

You can use this command-line tool to display the complete contents of the access token in the command window. For the current user’s security context, Whoami can display, for example:

  • User name and security identifier (SID)

  • Groups and their SIDs

  • Privileges and their status (for example, enabled or disabled)

  • Logon ID

To find more information about Services, see Windows Server 2003 Tools Help in the Tools and Settings Collection.

Access Tokens Registry Entries

The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as MMC to accomplish tasks. If you must edit the registry, use extreme caution.

The following registry settings that affect access tokens cannot be modified by using Group Policy or other Windows tools.

EveryoneIncludesAnonymous

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

Version compatibility

EveryoneIncludesAnonymous is supported for Windows Server?2003 and Windows XP.

This registry setting controls whether the Everyone SID is included in the access token generated for an anonymous user.

EveryoneIncludesAnonymous Settings

Setting Effect

0

(default) Do not include the Everyone SID in the access token generated for an anonymous user.

1

Include the Everyone SID in the access token generated for an anonymous user.

RestrictAnonymous

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

Version compatibility

RestrictAnonymous is supported for Windows Server 2003, Windows XP, and Windows 2000.

This registry setting restricts anonymous users from displaying lists of users, and from viewing security permissions.

RestrictAnonymous Settings

Setting Effect

0

(default) Anonymous users are not restricted. Rely on default permissions.

1

Do not allow enumeration of Security Accounts Manager (SAM) accounts and shares.

2

In Windows 2000, do not include the Everyone SID in the access token generated for an Anonymous user.

Not supported in Windows Server 2003.

Results of Anonymous User Settings

Anonymous User: Windows 2000

Restrict Anonymous Setting Can Enumerate Local SAM Accounts and Shares? Can Access Other Securable Objects If:

0

Yes

Anonymous or Everyone is granted access by the object’s access control list (ACL).

1

No

Anonymous or Everyone is granted access by the object’s ACL.

2

No

Anonymous is explicitly granted access by the object’s ACL.

Anonymous User: Windows Server 2003 and Windows XP

Restrict Anonymous Setting EveryoneIncludesAnonymous Setting Can Enumerate Local SAM Accounts and Shares? Can Access Other Securable Objects If:

0

0

Yes

Anonymous is explicitly granted access by the object’s ACL.

0

1

Yes

Anonymous or Everyone is granted access by the object’s ACL.

1

0

No

Anonymous is explicitly granted access by the object’s ACL.

1

1

No

Anonymous or Everyone is granted access by the object’s ACL.

Effects of Anonymous User Settings Entered in a Domain Controller’s Registry

Ability of anonymous users to enumerate account information

There is no local SAM on a domain controller. Thus, RestrictAnonymous does not control the ability of anonymous users to enumerate account information. Instead, access to account information is controlled by ACLs on account objects in Active Directory.

Ability of anonymous users to enumerate shared resources

Anonymous users will not be able to enumerate shared resources or pipes if RestrictAnonymous is set to equal 1.

Ability of Anonymous Users to Access Active Directory Data on Windows 2000 Domain Controllers

Restrict Anonymous Setting Pre-Windows 2000 Compatible Access Security Group Membership Access to Any Active Directory Data

0 or 1

No

No

0 or 1

Yes

Yes, if Everyone is a member of this group.

2

No

No

2

Yes

No

2

Yes, Anonymous must be explicitly a member.

Yes

Ability of Anonymous Users to Access Active Directory Data on Windows Server 2003 Domain Controllers

EveryoneIncludesAnonymous Setting Pre-Windows 2000 Compatible Access Security Group Membership Access to Any Active Directory Data

0

No

No

0

Yes

Yes, if Anonymous is also a member of this group.

1

Yes

Yes, even if Anonymous is not a member of this group as long as Everyone is a member of this group.

Note

  • Both Everyone and Anonymous are members of Pre-Windows 2000 Compatible Access group by default in Windows Server 2003.

Access Tokens Group Policy Settings

The following table lists and describes the Group Policy settings that are associated with access tokens.

Group Policy Settings Associated with Access Tokens

Group Policy Setting Description

User Rights Assignment:

  • Create a token object

  • Replace a process level token

Changes to these settings control:

  • Calling APIs to create tokens.

  • Whether a process can replace a token.

Audit Policy:

  • Audit policy change

  • Audit privilege use

  • Audit process tracking

Changes to this setting will:

  • Generate audits when rights are assigned with one of the tools discussed earlier.

  • Enable audit privilege use. Will log when SeAssignPrimaryTokenPrivilege was used.

  • Create an audit for assigning a primary token that contains the two processes involved and the identity of the token assigned.

Security Options:

  • Network access: Let Everyone permissions apply to anonymous users

Changes to this setting will affect whether Everyone is in the token for anonymous users.

For more information about these Group Policy settings, see Account Policy Settings.

Access Tokens WMI Classes

The following table lists and describes the Windows Management Information (WMI) classes that are associated with access tokens. These WMI classes are shipped with Windows Server 2003.

WMI Classes Associated with Access Tokens

Class Name Namespace Version Compatibility

Win32_TokenGroups

\root\cimv2

Windows Server 2003

Windows XP

Win32_TokenPrivileges

\root\cimv2

Windows Server 2003

Windows XP

For more information about these WMI classes, see the WMI reference in the SDK documentation on MSDN.