An access token is an object that describes the security context of a process or thread. The information in a token includes the identity and privileges of the user account associated with the process or thread. When a user logs on, the system verifies the user's password by comparing it with information stored in a security database. If the password is authenticated, the system produces an access token. Every process executed on behalf of this user has a copy of this access token.
(Access Token是用来描述一个进程或者线程的安全上下文的对象。Access Token中的信息包含了进程或者线程相关的用户账户的身份标识符和特权。当一个用户登录时,系统通过比较用户的密码与存储在安全数据库中的信息来验证用户的密码。如果用户的密码认证通过,系统会生成一个Access Token。这个用户创建的每一个进程都拥有该用户Access Token的一份拷贝。)
The system uses an access token to identify the user when a thread interacts with a securable object or tries to perform a system task that requires privileges. Access tokens contain the following information:
- The security identifier (SID) for the user's account
- SIDs for the groups of which the user is a member
- A logon SID that identifies the current logon session
- A list of the privileges held by either the user or the user's groups
- An owner SID
- The SID for the primary group
- The default DACL that the system uses when the user creates a securable object without specifying a security descriptor
- The source of the access token
- Whether the token is a primary or impersonation token
- An optional list of restricting SIDs
- Current impersonation levels
- Other statistics
(当一个线程与安全对象进行交互或者试图执行一个需要特权的系统任务时,系统使用Access Token来标识用户。Access Token包含以下信息: - 用户账户的安全标识符SID
- 用户所属组的SID
- 表示当前登录会话的登陆SID
- 由用户或用户所属的组持有的一个特权列表
- 所有者的SID
- 首要组的SID
- 当用户创建一个没有指定安全描述符的安全对象时的默认自主访问控制列表DACL
- Access Token的来源
- 该token是首要的还是模拟的
- 一个可选的受限制的SID列表
- 当前模拟级别
- 其他数据)
Every process has a primary token that describes the security context of the user account associated with the process. By default, the system uses the primary token when a thread of the process interacts with a securable object. Moreover, a thread can impersonate a client account. Impersonation allows the thread to interact with securable objects using the client's security context. A thread that is impersonating a client has both a primary token and an impersonation token.
(每个进程都拥有一个描述与该进程相关的用户的安全上下文的首要token。默认情况下,当进程的一个线程与安全对象交互时,系统使用首要token。更重要的是,线程可以模仿一个用户账户。模拟允许线程使用客户的安全上下文与安全对象进行交互。一个正在模拟用户的线程拥有一个首要token和一个模拟token)- security context
-
The security attributes or rules that are currently in effect. For example, the current user logged on to the computer or the personal identification number entered by the smart card user. For SSPI, a security context is an opaque data structure that contains security data relevant to a connection, such as a session key or an indication of the duration of the session.(目前生效的安全属性或者规则。比如当前用户登录电脑或者由智能卡用户用来进入系统的个人身份数字。对于SSPI来说,安全上下文就是一个包含了与连接相关的数据的半透明数据结构,比如一个会话密钥或者会话中的的指示符。)
- security descriptor
-
A structure and associated data that contains the security information for a securable object. A security descriptor identifies the object's owner and primary group. It can also contain a DACL that controls access to the object, and a SACL that controls the logging of attempts to access the object.
See also absolute security descriptor, discretionary access control list, self-relative security descriptor, system access control list.
(一个包含了安全对象的安全信息的数据结构和相应的数据。安全描述符指明了对象的所有者和首要组。安全描述符还包含一个对对象进行访问控制的自主访问控制列表和一个记录试图访问对象的行为的系统访问控制列表。)
- security identifier
-
(SID) A data structure of variable length that identifies user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an account's SID rather than the account's user or group name.
(SID安全标识符)一个具有可变长度的数据结构,指明了用户,组合计算机账户。网络上的每个账户首次被创建的时候,该账户都被分配了一独特的SID。Windows的内部进程涉及的是账户的SID而不是用户名或者组名。