Access Control |
Access control, like all technologies, has a specialized vocabulary. It is recommended that you understand how the following key terms are defined in the context of the access control model for Windows 2000.
Security principal. A user, group, computer, or service. Security principals have accounts. Local accounts are managed by the Security Accounts Manager (SAM) on the computer. Domain accounts are managed by Active Directory.
Security identifier (SID). A value that uniquely identifies a user, group, service, or computer account within an enterprise. Every account is issued a SID when it is created. Access control mechanisms in Windows 2000 identify security principals by SID rather than by name.
Security context. Information that describes a particular security principal's identity and capabilities on the computer. In Windows 2000, all activities take place in a security context. The security subsystem uses the security context to determine what a process and its threads of execution can do to objects on the computer, and who will be held accountable for what they have done.
Access token. A data structure containing the SID for a security principal, SIDs for the groups that the security principal belongs to, and a list of the security principal's privileges (also known as user rights) on the local computer. An access token is created for every security principal who logs on locally, at the computer's keyboard, or remotely, through a network connection. The access token provides a security context for the security principal's actions on the computer.
Thread. An executable entity within a process. For the purpose of this discussion, think of a thread as a sequence of program code scheduled for execution on the processor. A process can have several threads, all executing at the same time. The operating system coordinates execution by assigning each thread a scheduling priority.
Subject. A thread executing within the security context of an authenticated security principal. Before a subject is allowed to carry out an operation on a protected object, the security subsystem first performs an access check by comparing information in the subject's access token with information in the object's security descriptor to determine whether the subject is authorized to do what it wants to do.
Impersonation. The ability of a thread to act in a security context different from that of the process that owns the thread. Impersonation is designed to address the security requirements of client/server applications by allowing a service to act in its own security context when acting on its own behalf and in a client's security context when acting on the client's behalf.
Object. Any resource that can be manipulated by a program or process. Objects include resources you can see through the user interface, such as files, folders, printers, registry keys, Active Directory objects, and the Windows Desktop. They also include resources that you cannot see, such as sessions, processes, threads, and access tokens. An object can function as a logical repository for other objects. If an object can hold other objects, it is called a container; if it does not have this capability, it is called a noncontainer. Container objects can hold both noncontainer objects and also other container objects. For example, a Folder object in the file system can contain File objects (noncontainers) and also other Folder objects (containers). In a hierarchy of objects, the relationship between a container and its content is expressed by referring to the container as the parent and to an object in the container as the child. The parent-child metaphor is particularly useful in describing the concept of object inheritance, which allows a child object to inherit certain characteristics, such as security restrictions, from its parent object.
Securable object. Any object that can be shared. In Windows 2000, all securable objects have security descriptors that contain information about how access to the object is controlled.
Security descriptor. A data structure containing the security information associated with a securable object. A security descriptor identifies an object's owner by SID. If permissions are configured for the object, its security descriptor contains a discretionary access control list (DACL) with SIDs for the users and groups who are allowed or denied access. If auditing is configured for the object, its security descriptor also contains a system access control list (SACL) that controls how the security subsystem audits attempts to access the object.
Owner. The only security principal who has an inherent right to allow or deny permission to access an object. The first owner of an object is usually the security principal associated with the thread that created the object. An object's owner can transfer ownership by giving another security principal permission to take ownership. By default, the built-in Administrators group on a computer is assigned a user right that allows this group to take ownership of all objects on the computer.
Permission. Authority to perform an operation or a set of operations on an object. Permissions are granted or denied by an object's owner. Because access to an object is at the owner's discretion, the type of access control used in Windows 2000 is called discretionary access control.
User right. Authority to perform an operation that affects an entire computer rather than a particular object. User rights (also known as privileges) are assigned by administrators to individual users or groups as part of the security settings for the computer. Although user rights can be managed centrally through Group Policy, they are applied locally. Users can (and usually do) have different user rights on different computers.
Access right. A permission from a subject's point of view. When a human user allows or denies permission through the Access Control Settings dialog box, the result is recorded as an access control entry (ACE) in the object's DACL. In the user interface, a permission is represented by a word or phrase. In an ACE, the same permission is represented by a set of bit flags in an access mask. Each bit flag corresponds to an access right—that is, to a particular operation that can be performed on the object.