Security on any system is split into Authentication & Authorisation. The former determines whether a person (or a system) has the right to log on as a particular security principal – usually a username. The latter assesses what rights a logged-on session has to access a particular resource. There are links in the References section to general overviews on the Windows security model. A brief summary follows for the purposes of introducing the different sections below.
A user logs on using Credentials and is given a Token which is tied to that Logon Session. Any attempt by processes within that logon session to access secured resources is checked by the Operating System which compares the token to the required authorisation for that resource. Note: it is the token associated with a process which is checked, not the logged-on user’s security groups or privileges as such.
Resources are secured by means of an Access Control List, consisting of one or more Allow or Deny Access Control Entries each of which indicates the extent to which a named security principal may or may not access a resource. This list, together with ownership information, is held in a Security Descriptor against the resource. Local or domain groups may be used to simplify access control, but the principle is the same as each group acts as a single security principal in the same way as a user account would.
In addition to access control entries, an operation may require that the token have one or more Privileges enabled. These privileges are acquired by a user at logon according to his role and are either enabled from the start or must be enabled explicitly (and then disabled for good practice) when required.
To run a process as a different user, the current process must acquire a token corresponding to that user’s logon. This is usually done by creating a logon session with that user’s credentials and then Impersonating within the current process using the acquired token. The same approach is taken to get hold of a usable token for the current process, for example to check file access.
Still to come:
See also