I’m trying to write a secure application that performs a privileged operation on Windows (in particular it changes system time). Because of that I ask the user to run this application with Admin privileges. As one of the first things I want to do in the program is to drop all unnecessary privileges from my access token to limit the impact of any bugs I introduce later. From the Microsoft documentation on the topic I understand that I can either “disable” those privileges via AdjustTokenPrivileges, or create a new access token with “removed” privileges via CreateRestrictedToken and relaunch my application with it. If I understand this correctly the disabled privileges can be re-enabled at any time, so any sufficiently compromised application will just do that and ignore any restrictions I tried to impose. On the other hand, If I remove the privileges completely with CreateRestrictedToken they can’t be added back, which sounds safer and what I’d generally imagine under the term “dropping privileges” (also this way sounds like an enormous amount of hassle with the relaunching and such).
I suspect that this understanding might be wrong. What would be the most appropriate way of dropping all but needed privileges in windows?