🔑Windows Security Context

What is Windows Security Context ?

What is Windows Security Context?

• A security context is the collection of security-related attributes associated with an entity (e.g., a user, computer, process, or thread) that defines:

  • Identity: Who the entity is.

  • Permissions: What resources the entity can access.

  • Privileges: What special actions the entity can perform.

  • Integrity Level: The trustworthiness or privilege level of the entity.

The security context determines how the entity interacts with the operating system and its resources, ensuring that actions are performed within the boundaries of the entity's assigned permissions and privileges.

• The set of information that defines the Security Context is a collection of security-related attributes and metadata associated with an entity (such as a user, process, or thread) in an operating system. This set of information determines how the entity interacts with the system and its resources, ensuring proper access control, isolation, and accountability.

Components of a Security Context

The security context is composed of several key elements, each contributing to the overall security posture of the system:

a. Security Identifier (SID)

• A Security Identifier (SID) is a unique alphanumeric identifier assigned to every user, group, or computer account in the system.

  • Example: S-1-5-21-3623811015-3361044348-30300820-1013.

• SIDs are used to track identities across the system and are included in Access Control Lists (ACLs) to define who has access to resources.

b. Access Token

• An access token is a data structure created by the operating system when a user logs in or a process starts.

• It contains:

  1. User SID: The SID of the user or account.

  2. Group SIDs: SIDs of groups the user belongs to (e.g., Administrators, Users).

  3. Privileges: Special rights granted to the user or account (e.g., "Log on locally," "Shut down the system").

  4. Default Security Settings: Includes information like the integrity level (Low, Medium, High, System).

  5. Owner SID: The SID of the entity that owns the token.

  6. Primary vs. Impersonation Tokens: Primary tokens are used for processes, while impersonation tokens allow threads to temporarily adopt another identity.

c. Privileges

• Privileges are specific rights granted to an account, enabling it to perform certain actions that are otherwise restricted.

• Examples:

  • SeShutdownPrivilege –> Shutting Down the System : Allows a user to shut down or restart the computer.

  • SeBackupPrivilege –> Backup Files and Directories : Allows a process to read ANY file, even those it does not have explicit permissions for, to back up data.

  • SeDebugPrivilege –> Debugging Other Processes : Allows a process to attach a debugger to any process in the system, even those running as SYSTEM.

• Privileges are part of the access token and are checked by the operating system when a privileged action is attempted.

d. Integrity Levels

• Modern operating systems use integrity levels to enforce a form of Mandatory Access Control (MAC).

• Integrity levels determine the trustworthiness of a process or thread and restrict access to resources based on their integrity.

• Common integrity levels:

  • Low: Used for untrusted processes (e.g., Internet Explorer running in Protected Mode).

  • Medium: Default for standard users.

  • High: Used for administrative tools and processes.

  • System: Highest level, used for critical system processes.

When and Why a Security Context is Created ?

A security context is created whenever Windows needs to establish the identity and permissions for a user, process, or thread to interact with the system. This happens in a few key scenarios:

• When a user logs into the system (e.g., you enter your password on the login screen).

• When a process or thread starts (e.g., you open Notepad).

• When a system service or network task runs on behalf of a user or computer account.

• When a process impersonates(ينتحل شخصية) another user (a server acting as a client by inheriting the Security Context of the User That initiate that process).

The goal is to ensure that every action is tied to a specific identity (a security principal) with defined permissions, so Windows can enforce security rules and track who’s doing what.

The security context in Windows is represented by the Access Token.

🔹 Why?

The Access Token contains all the information that defines the security context of a process, thread, or user, including: ✅ Who the user is (Identity) → Security Identifier (SID) ✅ What groups they belong to → Security Groups (e.g., Administrators, Users) ✅ What they can do → Privileges (e.g., SeShutdownPrivilege, SeBackupPrivilege) ✅ What permissions they have → Based on ACL (Access Control List)

Whenever a process tries to access a resource, Windows checks the Access Token to determine if the operation is allowed or denied.

🔹 Security Context Example in Action

Example : JohnDoe Running CMD

1️⃣ JohnDoe logs into Windows.

• His security context is created.

• An Access Token is assigned.

2️⃣ JohnDoe opens CMD.

• The CMD process inherits his security context.

3️⃣ JohnDoe tries to delete a system file (C:\Windows\System32\config\SAM).

• Windows checks the ACL of the file.

• ACL does not allow "Users" to delete it.

• Access Denied ❌

4️⃣ JohnDoe runs CMD as Administrator.

• A new elevated security context is created.

• Now the process has the Administrator security context.

• Deletion is allowed ✅.