Subjects and Impersonation

One objective of the Windows NT security model is to ensure that the programs that a user runs have no more access to objects than the user does. That is, if a user is granted only read access to a file, then when he or she runs a program, that program cannot write to the file. The program, like the user, is granted read-only permission.

A subject is the combination of the user's access token and the program that is acting on the user's behalf. Windows NT uses subjects to track and manage permissions for the programs users run.

When a program or process runs on the user's behalf, it is said to be running in the security context of that user. The security context controls what access the subject has to objects and system services.

To accommodate the client/server model of Windows NT, there are two classes of subjects within the Windows NT security architecture:

• A simple subject, which is a process that was assigned a security context when the corresponding user logged on. It is not acting in the capacity of a protected server, which may have other subjects as clients.
• A server subject, which is a process implemented as a protected server (such as the Win32 subsystem), and which has other subjects as clients. In this role, a server subject typically has the security context of those clients available for use when acting on their behalf.

When a subject calls an object service through a protected subsystem, the subject's token is used within the service to determine who made the call and to decide whether the caller has sufficient access authority to perform the requested action.

Windows NT allows one process to take on the security attributes of another through a technique called impersonation. For example, a server process typically impersonates a client process to complete a task involving objects to which the server does not normally have access.