The security model prescribed by the Windows (and Active) platform is a client-server one. The model is pervasive in that a network need not be involved; we can be talking about client and server processes running on the same machine. In this situation, the partitioning is between the application space that the client is running in and the (usually) kernel mode protected space that the server is running in.
Under this model, clients should only access objects through servers. They should never access objects directly. This means that access to files, devices, other servers, etc., must be arbitrated and 'passed through' by an intermediary server.
Servers, on the other hand, must manage the access of the object and enforce access control. This can be done by the server through assistance from the operating system, or the server may decide to 'roll its own' access control mechanism. Specifically, under Windows NT, it's typical that servers don't actually maintain and verify access rights directly. To make life simpler (and more secure) for server writers, servers are requested to impersonate the identity of the client, and attempt access to objects under such impersonation. In this way, unauthorized access would be prevented by the operating system without the server maintaining elaborate access verification schemes.
Windows NT provides such an impersonation capability for server applications through Win32 APIs.