Acess Control Overview

The security subsystem is the primary gatekeeper through which subjects access objects
within the Windows operating system. We use the terms subjects generically here to
describe any entity that performs some action, and objects to mean the recipient of that
action. In Windows, subjects are processes (associated with access tokens), and objects are
securable objects (associated with security descriptors).
Processes are the worker bees of computing. They perform all useful work (together
with subprocess constructs called threads). Securable objects are the things that get acted
upon. Within Windows are many types of securable objects: files, director
ies, named
pipes, services, Registry keys, printers, networks shares, and so on.
When a user logs on to Windows (that is, authenticates), the operating system creates
an access token containing security identifiers (SIDs) correlated with the users account
and any group accounts to which the user belongs. The token also contains a list of the
privileges held by the user or the users groups. Well talk in more detail about SIDs and
privileges later in this chapter. The access token is associated with every process created
by the user on the system.
When a securable object is created, a security descriptor is assigned that contains a
discretionary access control list (DACL, sometimes generalized as ACL) that identifies which
user and group SIDs may access the object, and how (read, write, execute, and so on).
To perform access control, the Windows security subsystem simply compares the
SIDs in the subjects token to the SIDs in the objects ACL. If a match is found, access is
permitted; otherwise, it is denied.
The remainder of this chapter will take a more detailed look at subjects, since they are
the only way to access objects (absent kernel-mode control, again). For further information
on securable objects, see References and Further Reading.