About Client/Server Access Control

A server application provides services to clients. For example, a server could perform the following services on behalf of a client:

• Save and retrieve information from a private database.
• Access network resources.
• Start processes in the client's security context on the server's computer.

A protected server controls access to its services. Windows NT provides security support that enables a server to do the following:

• Impersonate a client's security context, which causes the system to perform most access and privilege checks against the client's access token rather than the server's.
• Log a client on to the server's computer.
• Connect to network resources using the client's security context.
• Create security descriptors to protect private objects.
• Determine whether a security descriptor allows access to a client.
• Determine whether a set of privileges are enabled in a client's token.
• Generate audit messages in the security event log to record attempts by a client to access objects or use privileges.