An important concept to understand about Windows NT security is that it is based on a per-user security model. Everything that a user does after logging in to Windows NT—from starting applications, to accessing printers and drives, to opening and saving files—is allowed or not allowed based on what rights and privileges are granted that user.
Windows NT’s security API also provides system-level and application-level event-logging features. These features allow you to later determine who had access to what, and when that access occurred.
Figure 20.1 shows a simplified representation of how Windows NT’s security system keeps track of users versus objects. Whenever a user successfully logs on to a trusted server, that user is identified internally by an access token. That access token sticks with the user as long as that user is logged in, wherever he or she goes within the NT network. Each system object, on the other hand, is represented by a security descriptor (SD), which holds a number of pieces of security-related information (discussed a bit later in the chapter). Whenever a user attempts to access an object, NT’s security compares the access token against the permissions in the security descriptor.