In particular, in the Microsft security model, two elements come into play during an access authorization check when a user attempts to access a secured resource, such as a file, folder or an Active Directory object. These two elements include the ACL of the secured resource as well as the access token of the user requesting access to the resource.
The ACL on the resource contains a list of security permissions that grant/deny specific access to the securable objects protected by the ACL. Each security permission specifies access for a unique security principal which is identified by a unique Security Identifer (SID.)
The access token of the user requesting access, similar includes a list of all groups to which the user belongs, and in particular, it is the SIDs of these groups that are stored in the access token.
During an access check, the system compares the SIDs in the user's access token with the SIDs in the ACL of the securable object to which access is requested, and based on a comparison, determines whether or not the requested access should be permitted.
The contents of an access token are thus very valuable to look at, because they include all the SIDs to which a user belongs when requesting access to a specific resource. They can however differ based on the type of logon, the domain of the computer on which the target resource resides and the type of machine (DC/member server) on which a user is logging on.
Thus, while it is valuable to be view a user's access token, it is not easy to do so, and while a user can always view the contents of his/her own access token, a user cannot view another user's access token.
The most common way of viewing one's own access token is via the Windows whoami utility -
A specialized access token viewer is a utility that can help users view the access token of another user. Such a utility is commonly referred to as an Access Token Viewer, and it works by simulating the generation of access tokens for users based on the same factors that the system itself uses to generate access tokens.
In this blog, we will take a look the one such Windows Security Access Token Viewer, and see how it can be used to view the access token of any domain user/computer account in an Active Directory environment.
An access token viewer can be an extremely valuable security analysis tool in many scenarios, such as when you're trying to find out whether or not a user has access to a specific file/folder/object.
Sharon.
PS: The ability to view tokens is very helpful in numerous situations including when you are trying to mitigate Active Directory Risks or Cyber Security threats. Token viewer's capabilities can also be helpful when you are trying to enumerate/list/view Active Directory / Domain group memberships and/or when you are trying to determine accounts that might be at close to the 1024 SID Kerberos Token Limitation value.
