Custom Tokens
Access tokens (and Custom Tokens) are assigned to an application, or when content is being edited, to modify the privileges of that activity. Within an access token is a collection of settings that specify the group memberships, associated privileges, integrity level, and process access rights.
Endpoint Privilege Management for Windows includes a set of built-in access tokens that can be used to add administrator rights, remove administrator rights, or enforce the users default privileges. A passive access token is also available that does not change the privileges of the activity, but still applies anti-tamper protection.
Access tokens are assigned to applications or content through rules within a Workstyle. For more advanced configurations, Custom Tokens can be created where group memberships, privileges, permissions, and integrity can be manually specified. You can optionally define any number of Custom Tokens.
Create Custom Tokens
To create a new Custom Token:
- Navigate to Endpoint Privilege Management Settings > Windows > Custom Tokens.
- Right-click and select New Custom Token. Select from the following options:
- Create a token which adds Administrator rights
- Create a token which removes Administration rights
- Create a blank token
- For the first two options, the Windows privileges that are assigned to that token are preselected for you, although you can change them if required. You can enter text in the Filter box to filter the list in real time.
- Click Finish when you have assigned the required privileges to the token.
The new Custom Token is displayed beneath the Custom Tokens node. Click the new token to display the Token Summary.
You may now define the Groups, Privileges, Integrity Level, and Process Access Rights for the Custom Token.
Edit Custom Tokens
Groups
The Groups section of the Custom Token specifies the groups that will be added or removed from the token.
To insert a group:
- Select Groups from the top tab. The token groups appear in the right pane.
- Right-click and select Add a new account.
- Enter the object names and click Check Names to validate it.
- By default, when you insert a group, the Add Account box is checked, and the group is added to the Custom Token. If you want to remove the group from the Custom Token, check the Remove box instead.
Domain and well-known groups display a Security Identifier (SID). The SID is used by Endpoint Privilege Management for Windows, which avoids account lookup operations. For local groups, the name is used by Endpoint Privilege Management for Windows, and the SID is looked up when the Custom Token is created by the client. Local Account appears in the SID column of the groups list for local groups.
Setting the Token Owner
By default, the owner of a Custom Token that includes the administrators group has the owner set to the administrators group. If the administrators group is not present in the Custom Token, then the user is set as the owner.
If you want the user to be the owner, regardless of the presence of the administrators group, check the Ensure the User is always the Token Owner box.
Anti-Tamper Protection
By default, Endpoint Privilege Management for Windows prevents elevated processes from tampering with the files, registry, and service that make up the client installation. It also prevents any elevated process from reading or writing to the local Endpoint Privilege Management for Windows policy cache.
Domain Controllers don't have the Local Users and Groups databases once they're promoted to a Domain Controller. Therefore, Endpoint Privilege Management for Windows cannot offer the Anti-Tamper feature for Domain Controllers.
If you want to disable anti-tamper protection, uncheck the Enable anti-tamper protection box.
Under normal circumstances, this option should remain enabled, except in scenarios where elevated tasks require access to protected areas. For instance, if you are using an elevated logon script to update the local Endpoint Privilege Management for Windows policy.
Privileges
The Privileges section of the Custom Token specifies the privileges that are added to or removed from the Custom Token.
If you want to add a privilege to the Custom Token, then check the Add box for the relevant privilege. If you want to remove a privilege from the Custom Token, check the Remove box for the relevant privilege.
You can also select multiple privileges and use the following options on the right-click menu:
- Reset Privilege
- Add Privilege
- Remove Privilege
- Add Admin Privileges
- Remove Admin Privileges
To clear all of the privileges in the Custom Token before applying privileges, check the Remove all existing privileges in access token before applying privileges box. If this box is left unchecked, the privileges are added or removed from the user’s default Custom Token.
Integrity Level
The Integrity Level section of the Custom Token specifies the integrity level for the Custom Token.
To set the integrity level:
- Select the Integrity Level node in the left pane. The integrity levels appear in the right pane as radio buttons.
- Set the appropriate integrity level.
The integrity level should be set as follows:
Integrity Level | Description |
---|---|
System | Included for completion and should not be required |
High | Set the integrity level associated with an administrator |
Medium | Set the integrity level associated with a standard user |
Low | Set the integrity level associated with protected mode (an application may fail to run or function in protected mode) |
Untrusted | Included for completion and should not be required |
Process Access Rights
The Process Access Rights section of a Custom Token allows you to specify which rights other processes has over a process launched with that Custom Token.
Tokens that include the administrators group have a secure set of access rights applied by default, which prevents code injection attacks on elevated processes initiated by processes running with standard user rights in the same session.
Check or uncheck the Access Right Name box to enable or disable a specific access right.
You can also select multiple privileges and use the following options on the right-click menu:
- Reset all to default
- Add Right
- Remove Right
The access rights should be set as follows:
Access Rights | Description |
---|---|
GENERIC_HEAD | Read access. |
PROCESS_CREATE_PROCESS | Required to create a process. |
PROCESS_CREATE_THREAD | Required to create a thread. |
PROCESS_DUP_HANDLE | Required to duplicate a handle using DuplicateHandle. |
PROCESS_QUERY_INFORMATION | Required to retrieve certain information about a process, such as its token, exit code, and priority class. |
PROCESS_QUERY_LIMITED_INFORMATION | Required to retrieve certain information about a process. |
PROCESS_SET_INFORMATION | Required to set certain information about a process, such as its priority class. |
PROCESS_SET_QUOTA | Required to set memory limits using SetProcessWorkingSetSize. |
PROCESS_SUSPEND_RESUME | Required to suspend or resume a process. |
PROCESS_TERMINATE | Required to terminate a process using TerminateProcess. |
PROCESS_VM_OPERATION | Required to perform an operation on the address space of a process. |
PROCESS_VM_READ | Required to read memory in a process using ReadProcessMemory. |
PROCESS_VM_WRITE | Required to write to memory in a process using WriteProcessMemory. |
READ_CONTROL | Required to read information in the security descriptor for the object, not including the information in the SACL. |
SYNCHRONIZE | Required to wait for the process to terminate using the wait functions. |