Planning Security for Your Applications

What sorts of applications really need to be concerned with Windows NT security? Simply put, anything intended to run on a server is a strong candidate for needing to implement security. Additionally, at the client-level, any applications that need to access their own secured objects (shared memory, files, semaphores, the registry, and so on) and most applications that will run as a service will need to make use of at least some Windows NT security functions.

When thinking about Windows NT’s security, one important point you should keep in mind is the distinction between automatically protected objects in NT and those objects you create yourself and must protect by implementing your own security checks. An example of automatic security would be the security checking that takes place within the kernel whenever access attempts occur on files or directories that are located on an NTFS partition.

On the other hand, “manual” or “do-it-yourself” security would be called for if you needed to prevent, for example, unauthorized access to only certain types of functionality within an application or to certain parts of a database file. In these cases, you can plan the security as follows:

Create a list of all data objects and/or types of functionality that cannot be open to all users indiscriminately.
Develop a logical plan of specific rights or privileges that can be assigned or restricted to the various individuals and/or groups using your system.
Add security checks to every point in your software where the protected objects or functionality can be accessed.
If the protected objects can possibly be accessed in any way from outside your software (by standard file access, for example), restrict access there also. This usually can be done by specifying Administrator-only access on the object, and then have your application run using Administrator privileges so it can access the object itself.