Security model using restricted tokens
First Claim
1. In a computer system including a first process having access to a resource, a method of granting or denying access of a second process to the resource, comprising, creating a restricted access token from a parent token associated with a first process, the restricted access token having privilege and security identifier access rights therein that comprise reduced access rights relative to the parent token, associating the restricted access token with the second process, requesting that the second process be given access to the resource, providing a security descriptor associated with the resource to a security mechanism, providing the restricted token to the security mechanism, performing an access evaluation at the security mechanism by comparing information in the restricted token with information in the security descriptor, and determining whether to grant or deny access based on the result of the access evaluation.
2 Assignments
0 Petitions
Accused Products
Abstract
A restrict ed access token is created from an existing token, and provides less access than that token. A restricted token may be created by changing an attribute of one or more security identifiers allowing access in the parent token to a setting that denies access in the restricted token and/or removing one or more privileges from the restricted token relative to the parent token. A restricted access token also may be created by adding restricted security identifiers thereto. Once created, a process associates another process with the restricted token to launch the other process in a restricted context that is a subset of its own rights and privileges. A kernel-mode security mechanism determines whether the restricted process has access to a resource by first comparing user-based security identifiers in the restricted token and the intended type of action against a list of identifiers and actions associated with the resource. If no restricted security identifiers are in the restricted token, access is determined by this first check, otherwise a second access check further compares the restricted security identifiers against the list of identifiers and actions associated with the resource. With a token having restricted security identifiers, the process is granted access if both the first and second access checks pass. In this manner, a process is capable of restricting another process, such as possibly unruly code, in the actions it can perform.
338 Citations
38 Claims
- 1. In a computer system including a first process having access to a resource, a method of granting or denying access of a second process to the resource, comprising, creating a restricted access token from a parent token associated with a first process, the restricted access token having privilege and security identifier access rights therein that comprise reduced access rights relative to the parent token, associating the restricted access token with the second process, requesting that the second process be given access to the resource, providing a security descriptor associated with the resource to a security mechanism, providing the restricted token to the security mechanism, performing an access evaluation at the security mechanism by comparing information in the restricted token with information in the security descriptor, and determining whether to grant or deny access based on the result of the access evaluation.
- 15. In a computer system, a method of granting a process access to a resource, comprising, creating an access token and associating the token with the process requesting the access, the access token including user and group security identifiers and at least one restricted identifier corresponding to a process or resource, assigning an access control list to a resource, the access control list containing entries of identifiers having access to the resource, performing a first comparison of the user and group identifiers in the token with the entries in the access control list, and if the first comparison indicates that access is allowable, performing a second comparison of the at least one restricted identifier with the entries in the access control list, and granting access if the second comparison indicates that access is allowable.
- 19. In a computer system, a system for providing access control, comprising, a process, a token associated with the process, the token including a list comprising at least one restricted security identifier therein, a resource, an access list associated with the resource comprising security identifier entries therein, and a security mechanism for performing an access evaluation by comparing the at least one identifier in the token list with the identifiers in the access list for granting or denying the process access to the resource based on a result of the access evaluation.
-
25. A computer-readable medium having stored thereon a data structure associated with a process, comprising:
-
a first data field including data representing user and group identifiers; and
a second data field including data representing at least one other identifier;
wherein the process is granted access to a resource if at least one identifier in the first data field and at least one identifier in the second data field each allowably match an entry in a list of identifier entries associated with the resource.
-
- 26. In a computer system, a method of determining access to system resources for a plurality of processes organized into a job, comprising, creating a restricted access token from a parent token, the restricted access token having privilege and security identifier access rights therein that comprise a reduced subset of privilege and security identifier access rights in the parent token, associating the restricted access token with the processes in the job, and for each process in the job, requesting access to a system resource, providing a security descriptor associated with that resource to a security mechanism, providing the restricted token to the security mechanism, performing an access evaluation at the security mechanism by comparing information in the restricted token with information in the security descriptor, and determining whether to grant or deny access for each process based on the result of the access evaluation.
- 28. In a computer network including a client machine and a server machine, a method of determining access to a server resource of a server process run for a client on the server machine, comprising, passing authentication information and restriction information from the client to the server, authenticating the client at the server based on the authentication information passed thereto, creating a restricted token on the server based on the restriction information passed thereto, the restricted token providing reduced access relative to a parent access token, associating the restricted token with the server process, requesting to access the server resource by the server process, and comparing the restricted token and a security descriptor of the resource to determine whether to grant or deny the process access to the resource.
-
32. A computer-implemented method, comprising:
-
deriving a restricted access token from a parent access token, the restricted access token having reduced access relative to the parent access token;
associating the restricted access token with a process capable of requesting access to a set of resources; and
providing the restricted access token to a security mechanism upon a request to access a resource of the set by the process, the security mechanism determining access to the resource based on the restricted access token and security information associated with the resource. - View Dependent Claims (33, 34, 35, 36, 37, 38)
-
Specification