Custom Tokens

Access tokens (and Custom Tokens) are assigned to an application, or when content is being edited, to modify the privileges of that activity. Within an access token is a collection of settings that specify the group memberships, associated privileges, integrity level, and process access rights.

Endpoint Privilege Management for Windows includes a set of built-in access tokens that can be used to add administrator rights, remove administrator rights, or enforce the users default privileges. A passive access token is also available that does not change the privileges of the activity, but still applies anti-tamper protection.

Access tokens are assigned to applications or content through rules within a Workstyle. For more advanced configurations, Custom Tokens can be created where group memberships, privileges, permissions, and integrity can be manually specified. You can optionally define any number of Custom Tokens.

Create Custom Tokens

To create a new Custom Token:

  1. Navigate to Endpoint Privilege Management Settings > Windows > Custom Tokens.
  2. Right-click and select New Custom Token. Select from the following options:
    • Create a token which adds Administrator rights
    • Create a token which removes Administration rights
    • Create a blank token
  3. For the first two options, the Windows privileges that are assigned to that token are preselected for you, although you can change them if required. You can enter text in the Filter box to filter the list in real time.
  4. Click Finish when you have assigned the required privileges to the token.

The new Custom Token is displayed beneath the Custom Tokens node. Click the new token to display the Token Summary.

You may now define the Groups, Privileges, Integrity Level, and Process Access Rights for the Custom Token.

Edit Custom Tokens

Groups

The Groups section of the Custom Token specifies the groups that will be added or removed from the token.

To insert a group:

  1. Select Groups from the top tab. The token groups appear in the right pane.
  2. Right-click and select Add a new account.
  3. Enter the object names and click Check Names to validate it.
  4. By default, when you insert a group, the Add Account box is checked, and the group is added to the Custom Token. If you want to remove the group from the Custom Token, check the Remove box instead.

Domain and well-known groups display a Security Identifier (SID). The SID is used by Endpoint Privilege Management for Windows, which avoids account lookup operations. For local groups, the name is used by Endpoint Privilege Management for Windows, and the SID is looked up when the Custom Token is created by the client. Local Account appears in the SID column of the groups list for local groups.

Setting the Token Owner

By default, the owner of a Custom Token that includes the administrators group has the owner set to the administrators group. If the administrators group is not present in the Custom Token, then the user is set as the owner.

If you want the user to be the owner, regardless of the presence of the administrators group, check the Ensure the User is always the Token Owner box.

Anti-Tamper Protection

By default, Endpoint Privilege Management for Windows prevents elevated processes from tampering with the files, registry, and service that make up the client installation. It also prevents any elevated process from reading or writing to the local Endpoint Privilege Management for Windows policy cache.

 

Domain Controllers don't have the Local Users and Groups databases once they're promoted to a Domain Controller. Therefore, Endpoint Privilege Management for Windows cannot offer the Anti-Tamper feature for Domain Controllers.

If you want to disable anti-tamper protection, uncheck the Enable anti-tamper protection box.

Under normal circumstances, this option should remain enabled, except in scenarios where elevated tasks require access to protected areas. For instance, if you are using an elevated logon script to update the local Endpoint Privilege Management for Windows policy.

Privileges

The Privileges section of the Custom Token specifies the privileges that are added to or removed from the Custom Token.

If you want to add a privilege to the Custom Token, then check the Add box for the relevant privilege. If you want to remove a privilege from the Custom Token, check the Remove box for the relevant privilege.

You can also select multiple privileges and use the following options on the right-click menu:

  • Reset Privilege
  • Add Privilege
  • Remove Privilege
  • Add Admin Privileges
  • Remove Admin Privileges

To clear all of the privileges in the Custom Token before applying privileges, check the Remove all existing privileges in access token before applying privileges box. If this box is left unchecked, the privileges are added or removed from the user’s default Custom Token.

Integrity Level

The Integrity Level section of the Custom Token specifies the integrity level for the Custom Token.

To set the integrity level:

  1. Select the Integrity Level node in the left pane. The integrity levels appear in the right pane as radio buttons. 
  2. Set the appropriate integrity level.

The integrity level should be set as follows:

Integrity Level Description
System Included for completion and should not be required
High Set the integrity level associated with an administrator
Medium Set the integrity level associated with a standard user
Low Set the integrity level associated with protected mode (an application may fail to run or function in protected mode)
Untrusted Included for completion and should not be required

Process Access Rights

The Process Access Rights section of a Custom Token allows you to specify which rights other processes has over a process launched with that Custom Token.

Tokens that include the administrators group have a secure set of access rights applied by default, which prevents code injection attacks on elevated processes initiated by processes running with standard user rights in the same session.

Check or uncheck the Access Right Name box to enable or disable a specific access right.

You can also select multiple privileges and use the following options on the right-click menu:

  • Reset all to default
  • Add Right
  • Remove Right

The access rights should be set as follows:

Access Rights Description
GENERIC_HEAD Read access.
PROCESS_CREATE_PROCESS Required to create a process.
PROCESS_CREATE_THREAD Required to create a thread.
PROCESS_DUP_HANDLE Required to duplicate a handle using DuplicateHandle.
PROCESS_QUERY_INFORMATION Required to retrieve certain information about a process, such as its token, exit code, and priority class.
PROCESS_QUERY_LIMITED_INFORMATION Required to retrieve certain information about a process.
PROCESS_SET_INFORMATION Required to set certain information about a process, such as its priority class.
PROCESS_SET_QUOTA Required to set memory limits using SetProcessWorkingSetSize.
PROCESS_SUSPEND_RESUME Required to suspend or resume a process.
PROCESS_TERMINATE Required to terminate a process using TerminateProcess.
PROCESS_VM_OPERATION Required to perform an operation on the address space of a process.
PROCESS_VM_READ Required to read memory in a process using ReadProcessMemory.
PROCESS_VM_WRITE Required to write to memory in a process using WriteProcessMemory.
READ_CONTROL Required to read information in the security descriptor for the object, not including the information in the SACL.
SYNCHRONIZE Required to wait for the process to terminate using the wait functions.