The Security Model

Chapter 1, "Windows NT Architecture," describes the overall architecture of Windows NT. As shown in Figure 2.1, the Windows NT security model includes these components:

• Logon processes, which accept logon request from users. These include the initial interactive logon, which displays the initial logon dialog box to the user, and remote logon processes, which allow access by remote users to a Windows NT server process.
• Local Security Authority, which ensures that the user has permission to access the system.

  This component is the center of the Windows NT security subsystem. It generates access tokens (described later in this chapter), manages the local security policy, and provides interactive user authentication services. The Local Security Authority also controls audit policy and logs the audit messages generated by the Security Reference Monitor.

• Security Account Manager (SAM), which maintains the user accounts database. This database contains information for all user and group accounts. SAM provides user validation services, which are used by the Local Security Authority.
• Security Reference Monitor, which checks to see if the user has permission to access an object and perform whatever action the user is attempting. This component enforces the access validation and audit generation policy defined by the Local Security Authority. It provides services to both kernel and user mode to ensure the users and processes attempting access to an object have the necessary permissions. This component also generates audit messages when appropriate.

Figure 2.1 Windows NT Security Components

Together, these components are known as the security subsystem. This subsystem is known as an integral subsystem rather than an environmental subsystem because it affects the entire Windows NT operating system.

The Windows NT security model is designed for C2-level security as defined by the U.S. Department of Defense. Some of the most important requirements of C2-level security are the following:

• The owner of a resource (such as a file) must be able to control access to the resource.
• The operating system must protect objects so that they are not randomly reused by other processes. For example, the system protects memory so that its contents cannot be read after it is freed by a process. In addition, when a file is deleted, users must not be able to access the file's data.
• Each user must identify himself or herself by typing a unique logon name and password before being allowed access to the system. The system must be able to use this unique identification to track the activities of the user.
• System administrators must be able to audit security-related events. Access to this audit data must be limited to authorized administrators.
• The system must protect itself from external interference or tampering, such as modification of the running system or of system files stored on disk.