When you remove administrative rights for applications using the Remove Administrative Rights action, there is an advanced feature that allows you to apply restricted Security Identifiers (SIDs), which further restricting restricts access to securable objects.When you specify any Restricted SID then not only does the Security Descriptor need to allow access to the user, but also allow access explicitly to the Restricting SID.
What is a Restricted SID?
A Restricted ID is an access token that modifies a user's access to securable objects and controls a user's ability to perform various system-related operations on the local computer.
The system uses the list of restricting SIDs when it checks the token's access to a securable object. When a restricted process or thread tries to access a securable object, the system performs two access checks: one using the token's enabled SIDs, and another using the list of restricted SIDs. Access is granted only if both access checks allow the requested access rights. (For more information about restricted SIDs, go to https://msdn.microsoft.com/en-us/library/windows/desktop/aa379316(v=vs.85).aspx.)
access token
An access token identifies the user, the user's groups, and the user's privileges. The system uses the token to control access There are two kinds of access token, primary and impersonation.
When to Use Restricted ID
- Use case for Restricted SID is creating a sandbox and then putting in place a Restricted SID to further restrict the apps in the sandbox.
- This is another action of Orangelisting: completely protecting yourself from something that’s new and unknown. Now it may not run correctly within a sandbox but the point being you’re protecting yourself against unknown applications if you don’t want to go the full level of blacklisting.
- Anything that the Restricted SID is applied to will only get Read access to the user registry and won’t actually have Read to the local machine registry so it can do very little and a lot of apps may not work correctly under this model. And the same applies to the file system; not only do you as the user need access to a file but also explicitly has to have the Restricted SID. Ultimately, it’s just severely locked down.
The Restricted SID is not new in Windows Server 2008 and Windows Vista, but the access checks based on the token are more significant.-- A Restricted SID denotes (means, or shows) any process that presents (bring, give, or offer) a restricted token. A restricted token has one or more restricting SIDs (SIDs that are used in a separate access check). When restricting SIDs are present, Windows performs two access checks: first is the normal access check, and then the second access check performs the same access check but only against the restricting SIDs in the token. Both access checks must pass to allow the process to access the object.
Access control is the process of authorizing users, groups, and computers to access objects on the network by using permissions, user rights, and object auditing.
access token
An access token contains the security information for a logon session. The system creates an access token when a user logs on, and every process executed on behalf of the user has a copy of the token. The token identifies the user, the user's groups, and the user's privileges. The system uses the token to control access to securable objects and to control the ability of the user to perform various system-related operations on the local computer. There are two kinds of access token, primary and impersonation.
Our restricted process option leverages the Windows functionality that prevents restricted SID's from having Write access to protected resources. (For more details, go to Restricted Tokens on the Windows Dev Center.) Another benefit of this is that Restricted Processes do not have rights to open any network-based resource, such as file servers.
...
What is this thing called SID?