Effect of enabling "Create a token object"

I am attempting to understand the vulnerablities being created by enabling the policy "Create a token object" for all domain users.  We are updating a home grown app for use on Windows 7.  The programmers have run into a problem running the app and their easy solution is to enable "Create a token object" policy.

Here is our environment.
This change would apply to Windows 7 R2 workstations. These workstations have the ususal desktop/control panel restrictions.  We are using Applocker to apply the white list. The App locker white list is a detailed list of each executable which can be run.

Before I tell the programmers yes or no, I want to better understand the risks involved.  

epmmisAsked:
Who is Participating?
 
PberSolutions ArchitectCommented:
It essentially grants that user with that right the ability to access ANY local resource on the computer that the user had been granted that access.  It essentially gives them the ability to get full admin rights to any object on the computer without actually making them an admin.  So if that user gets compromised by a hacker or a virus, that hacker or virus can instantly gain full control of that computer without having to attack a security vulnerability.

http://technet.microsoft.com/en-us/library/cc757309(WS.10).aspx

Personally I would investigate more what object the program is trying to access and maybe just granting more access to that object.  Sometimes you can't get around granting that right.  Since you are building the application internally, you may have the ability to make the program work without having the grant that right.  We have a few commercial applications that require us to have that right and we had to do it, but understand the risk.
0
 
epmmisAuthor Commented:
This is very interesting.

Would you repost the technet URL?  It link reports "Page  Not Found".
0
 
PberSolutions ArchitectCommented:
Hmmm. The link works for me.  
Try this link as well:
http://technet.microsoft.com/en-us/library/dd349804(WS.10).aspx#BKMK_13
 If that doesn't work, just go to http://www.technet.com and search for "Create token object"
0
 
epmmisAuthor Commented:
Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.