In a multitasking operating system such as Windows NT, applications share a variety of system resources including the computer's memory, I/O devices, files, and system processor(s). Windows NT includes a set of security components that ensure that applications cannot access these resources without authorization. Together, these components—the Security Reference Monitor component, the Logon Process, and the Security protected subsystems—form the Windows NT security model.
The Security Reference Monitor is responsible for enforcing the access-validation and audit-generation policy defined by the local Security subsystem. It provides services to both kernel and user mode for validating access to objects, checking user privileges, and generating audit messages. The Reference Monitor, like other parts of the Executive, runs in kernel mode.
The user-mode Logon Process and Security protected subsystems are the other two components of the Windows NT security model. Because it affects the entire Windows NT operating system, the Security subsystem is known as an integral subsystem rather than an environment subsystem. (Environment subsystems are discussed later in this chapter.)
The Windows NT Kernel and Executive are based on an object-oriented model that allows for a consistent and uniform view of security, right down to the fundamental entities that make up the base operating system. This means that Windows NT uses the same routines for access validation and audit checks for all protected objects. That is, whether someone is trying to access a file on the disk or a process in memory, there is one component in the system that is required to perform access checks, regardless of the object type.
The Windows NT Logon Process provides for mandatory logon to identify users. Each user must have an account and must supply a password to access that account. Before users can access any resource on a Windows NT computer, they must logon through the Logon Process so that the Security subsystem can authenticate their username and password. After successful authentication, whenever a user tries to access a protected object, the Security Reference Monitor runs an access-validation routine against the user's security information to ensure the user has permission to access the object.
The security model also provides for discretionary access control so that the owner of a resource can specify which users or groups can access resources and what types of access they're allowed (such as read, write, and delete).
Resource protection is another feature provided by the security model. Tasks can access each others' resources, such as memory, only through specific sharing mechanisms. This feature helps enforce object hiding.
Windows NT also provides for auditing so that administrators can keep an audit trail of which users perform what actions.
By providing these features, the Windows NT security model prevents applications from gaining unauthorized access to the resources of other applications or the operating system either intentionally or unintentionally.
For more information about Windows NT Workstation security, see Part II, Chapter 6, "Windows NT Workstation Security." For more information about the C2 Evaluation of Windows NT, see the Windows NT Administrator's Security Guide. (It is available from Microsoft. Refer to Part #236-074-495.)
In addition to the protected subsystems, Logon Process and Security, Windows NT includes a number of other user-mode components called environment subsystems. The next section describes each of them.