Windows 2000 Security Overview

In Chapter 3, while discussing the service API and its implementation, I mentioned the fact that any process on a Windows 2000 system must run under the context of some user. In the case of services, this user is often the System account. The System account has almost total rights on the server in question and no rights beyond that single server. This is a good time to discuss exactly what we mean when we say "user contexts" and " user rights."

The core of Windows 2000 security is the Security Descriptor (SD). An SD contains a header, an owner, a group, a Discretionary Access Control List (DACL), and a System Access Control List (SACL). The owner of the SD is the Security ID (SID) of the user or group that owns the resource being protected by the SD. A SID is essentially a pointer to a variable length structure that represents the user or group. This structure should never be directly manipulated, but rather treated as a token representing the user or group.

NOTE
A SID represents the user, rather than any text representation of the user or group's name internally. Therefore, if a user is deleted from a Windows 2000 system and then added back, there is no chance that the new user will have any of the rights of the previously deleted user with the same name .

The group in an SD is the group that the secured object belongs to. This group is not used in the context of Active Directory security. DACLs and SACLs contain Access Control Entries (ACEs) that describe who has what rights to the object being secured. Figure 4-2 shows how ACEs are represented in the user interface when looking at permissions for a directory on a Windows 2000 server.

Figure 4-2 Rights as seen through the Windows 2000 user interface.

In general, Windows 2000 security is as simple as that. An object has an SD associated with it, and that SD has a list of which users or groups have which rights to the object. The details of implementation are, unfortunately , much more complex, and beyond the scope of this book. Windows NT Security by Nik Okuntseff (R&D Books, 1997), listed in the annotated bibliography at the end of the book, covers Windows NT security, and many of the same concepts carry through to Windows 2000.



Inside Server-Based Applications
Inside Server-Based Applications (DV-MPS General)
ISBN: 1572318171
EAN: 2147483647
Year: 1999
Pages: 91

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net