Registry Control and Impersonation Token Actions

With privilege-manager version 12.0.1, two new types of actions have been implemented. The first is the Registry Control action, and the second is the Impersonation Token action. Collectively, these two actions permit a policy to be created which will allow a non-administrator user to have administrator access to specific portions of the registry via selective per-thread token impersonation during registry key create/open operations. Likewise, administrator users can have restrictions placed on their registry. For example, access such that portions of the registry which are normally modifiable by administrators become locked down to just read-only access or no access at all.

Registry Control Action

A Registry Control action consists of a reference to an impersonation token, of which there is one provided out of the box with version 12.0.1, along with a set of Registry Control rules.

Any given Registry Control rule specifies the following items as part fits definition:

  • Registry Hive under which the registry key is located.

    • HKEY_CURRENT_USER

    • HKEY_LOCAL_MACHINE

    • HKEY_USERS

  • Key Path, which is the full path to the registry key under the specified hive.

    • Example: SOFTWARE\Microsoft\Windows\CurrentVersion

  • Scope, which specifies how the rule gets applied to a registry key which has a subtree of keys under it.

    • This Key Only

    • This Key And Subkeys

    • Subkeys Only

  • Permissions, which are the access rights for a registry key, and they specify the maximum amount of access that may be requested when a create/open operation is performed for a registry key.

    • There are convenience links for Full Control, Read and None, which when selected, cause the set of individual access rights to be toggled on/off as appropriate.

    • All the individual access rights [Query Value, Set Value, Create Subkey, Enumerate Subkeys, Notify, Create Link, Delete, Write DAC, Write Owner and Read Control] are capable of being independently enabled or disabled.

  • Use Impersonation is an on/off setting. If it is enabled, then whenever a thread in a process is performing a create/open operation for a registry key, the thread will temporarily impersonate the impersonation token that is associated with the Registry Control action. If it is disabled, then when a thread performs a registry key create/open operation, the thread’s current impersonation token, or the process token if no per-thread impersonation is in effect, will be used when performing access checks.

Impersonation Token Action

The Impersonation Token action currently only has a single use, and only one out of the box instance of it is provided. When version 12.0.1 is installed or upgraded, the action Administrative Rights (Impersonation) will be created. It is nearly identical to the Add Administrative Rights (Modern) action (f.k.a. Add Administrative Rights), in that it creates an access token with full administrative rights, but the token type is impersonation rather than primary.

The intended purpose is to allow an impersonation token to be created and injected into a target process so that our Registry Control logic can use it for per-thread token impersonation in very specific instances where a Registry Control Rule specifies that impersonation must be used for registry key create/open operations.

Impersonation Token actions are not editable in the UI. Use of an impersonation token permits certain operations to be performed with full administrator rights while negating the need to run the entire process with a administrator rights.