⛳Windows Security Access Token(SAT)

What is Windows SAT ?

Introduction to Windows tokens for security practitioners

SAT Process

• An access token is an object that describes the security context of a process or thread. The information in a token includes the identity and privileges of the user account associated with the process or thread.

• When a user logs on, the system verifies the user's password by comparing it with information stored in a security database. If the password is authenticated, the system produces an access token. Every process executed on behalf of this user has a copy of this access token.

• The system uses an access token to identify the user when a thread interacts with a securable object or tries to perform a system task that requires privileges. Access tokens contain the following

  nformation:

  • The security identifier (SID) for the user's account

  • SIDs for the groups of which the user is a member

  • A logon SID that identifies the current logon session

  • A list of the privileges held by either the user or the user's groups

  • An owner SID

  • The SID for the primary group

  • The default DACL that the system uses when the user creates a securable object without specifying a security descriptor

  • The source of the access token

  • Whether the token is a primary or impersonation token

  • An optional list of restricting SIDs

  • Current impersonation levels

  • Other statistics

• Every process has a primary token that describes the security context of the user account associated with the process. By default, the system uses the primary token when a thread of the process interacts with a securable object. Moreover, a thread can impersonate a client account. Impersonation allows the thread to interact with securable objects using the client's security context. A thread that is impersonating a client has both a primary token and an impersonation token.

Aspect	Primary Token	Impersonation Token
Purpose	Describes the security context of a process.	Allows a thread to impersonate another user’s security context.
Who Uses It	The process uses the primary token for its interactions with securable objects.	The thread uses the impersonation token when it needs to perform actions on behalf of another user or client.
Created By	Created automatically when a process is started.	Created via the ImpersonateSelf() or SetThreadToken() APIs, typically by a process to impersonate another user.
Associated With	The process itself and its default security context.	A thread within a process. A thread can have an impersonation token and a primary token at the same time.
Security Context	Represents the identity of the user who created the process, and their group memberships and privileges.	Represents the identity of a client user (usually the user making a request), enabling the thread to perform actions on behalf of that client.
Token Type	Only one primary token per process.	A thread can have multiple impersonation tokens, one for each user it impersonates during different actions.
Usage in Access Control	Used by a thread to access securable objects based on the process’s user identity and privileges.	Used by a thread to access securable objects as if it were the impersonated user, applying that user’s permissions instead of the process’s.
Lifespan	Lasts for the lifetime of the process.	Active only for the duration of the impersonation action, after which the thread returns to using the primary token.
Default	The default token used when a thread interacts with an object.	Only used if a thread is explicitly impersonating another user.
Permissions/Privileges	Grants permissions based on the user that the process is running under.	Grants permissions based on the client's user identity, overriding the process’s identity temporarily.
Example Use Case	A process running as a service (e.g., services.exe) uses its primary token to access system resources.	A web server impersonating a client user to read a file from a shared directory on the server.