Addendum

Restricted Tokens in Windows

Restricted tokens are a feature in Windows used to limit the privileges and access rights of a process. They are often used to enforce least privilege principles, especially when running untrusted or less-trusted code (e.g., sandboxing). A restricted token is created by removing privileges, SIDs, or groups from an existing access token.

Key Concepts:

Restricted SID list: Defines which SIDs must be present in the object’s DACL for access to be granted.
Privilege removal: Selected privileges can be removed to reduce what actions the token holder is allowed to perform.
Deny-only SIDs: SIDs marked as deny-only are not used in access checks except to deny access.

Use Cases:

Creating low-privilege sandboxes
Running processes in “Protected Mode” (e.g., Internet Explorer Protected Mode)
Reducing attack surface in user-mode applications

Working with Restricted Tokens

In the Windows API, the CreateRestrictedToken() function is used to generate a restricted token based on an existing one.

BOOL CreateRestrictedToken(
  HANDLE                 ExistingTokenHandle,
  DWORD                  Flags,
  DWORD                  DisableSidCount,
  PSID_AND_ATTRIBUTES    SidsToDisable,
  DWORD                  DeletePrivilegeCount,
  PLUID_AND_ATTRIBUTES   PrivilegesToDelete,
  DWORD                  RestrictedSidCount,
  PSID_AND_ATTRIBUTES    SidsToRestrict,
  PHANDLE                NewTokenHandle
);

`_TOKEN` (excerpt)

The restricted SIDs are part of the _TOKEN structure:

struct _TOKEN {
    ...
    struct _SID_AND_ATTRIBUTES* RestrictedSids; // List of restricted SIDs
    ULONG RestrictedSidCount;                  // Number of entries in the list
    ...
};

`_SID_AND_ATTRIBUTES`

struct _SID_AND_ATTRIBUTES {
    PSID Sid;             // Pointer to SID
    DWORD Attributes;     // Attributes of the SID (e.g., SE_GROUP_ENABLED, SE_GROUP_USE_FOR_DENY_ONLY)
};

Example

To verify restricted SIDs in a token using WinDbg:

!token <address>

Look for the Restricted SIDs section in the output.

Restricted SIDs:
  S-1-5-32-545 Attributes - DenyOnly
  S-1-5-32-544 Attributes - DenyOnly

Summary

Restricted tokens are a powerful feature for enhancing security by reducing the capabilities of a process at runtime. They are essential for building secure applications that isolate untrusted code or enforce least privilege.