The Process Rights action folder contains the actions to remove or add administrator rights. You can remove administrator rights for applications such as web browsers to increase their locked down state for both administrators and standard users.
Remove Administrative Rights - This action removes administrative rights for specified applications.
We've added an advanced feature to the Remove Administrative Rights action that increases a processes' integrity level if a SID is specified, but does not lower the integrity level in "decrease mode."
When you remove administrative rights for applications using the Remove Administrative Rights action, there is an advanced feature that allows you to apply restricted Security Identifiers (SIDs), further restricting access to securable objects.
When you specify any Restricted SID then not only does the Security Descriptor need to allow access to the user, but also allow access explicitly to the Restricting SID.
[[Who should use this advanced feature?]]
[[Adjust Process Rights Improvements
Adjust Process Security is an action that allows a process to be protected from tampering by users.
[[The existing Adjust Process Rights [[Security]] action in v8.0 would elevate the integrity level of processes if an integrity level SID was specified, but would not lower the integrity level in “decrease mode”. This feature has been implemented.]]
Restricted SIDs
As well a less well known (and used) feature has been added: Restricted SIDs. This feature is just exposed as an option “Restricted Code” on the Adjust Process Rights action.
The main intended usage of Restricted SIDs is the Well Known SID RESTRICTED_CODE (RESTRICTED). Technically when evaluating security for any operation, when there is any Restricted SID specified then not only does the Security Descriptor need to allow access to the user, but also explicitly to the Restricting SID.
Generally in usage this mechanism basically removes all ability for a program to execute at all. Microsoft recognised the practical limitations of this mechanism and introduced a tweak that only applies the Restricted SID functionality to WRITE operations. Our Restricted Process option leverages this functionality.
So whilst a Restricted Process would be able to read any local resources the user could read (unless banned by deny Security Descriptors), any ability to write to resources is protected.
==> how does this apply to Adjust Process Security rather than Remove Admin Rights?]]
[[How does this work in the Console?]]
Our restricted process option leverages the Windows functionality that prevents restricted SID's from having Write access to protected resources. (For more details, go to Restricted Tokens on the Windows Dev Center.)
Another benefit of this is that Restricted Processes do not have rights to open any network-based resource (e.g., such as file servers).Online description
Adds the Restricted SID to the process. When evaluating security for any operation, when there is any Restricted SID specified then not only does the Security Descriptor need to allow access to the user, but also explicitly to the Restricted SID. See product documentation for more information.
Related Links
What is this thing called SID?