Security Access Tokens, Rights, and Permissions
In a Windows environment, each local system defines local users and groups during the installation process. You can add more local users and groups at any time using the Computer Management tool.
The Local Users and Groups section of the Computer Management tool allows you to add, remove, and manage local users and groups. This tool is most commonly used to create new users and groups, and to associate users with groups. FIGURE 2-4 shows the Local Users and Groups section of the Computer Management tool.
FIGURE 2-4
Computer Management tool with open Local Users and Groups.
Courtesy of Microsoft Corporation.
Security Identifier
Each local user and group in Windows has a unique security identifier (SID). Windows uses the SID to identify users and groups, not the names. Once you create a local user or group, the SID remains the same, even if you change the user or group name. There are several well-known users and groups that are defined for all Windows machines, but aside from the Microsoft-defined SIDs, all other SIDs are unique to a local machine. TABLE 2-5 lists a few of the Windows well-known SIDs.
TABLE 2-5 Well-Known SIDs |
||
|---|---|---|
| WELL-KNOWN SID | STRING VALUE | IDENTIFIES |
| Null SID | S-1-0-0 | Group with no members, often used when an SID is not known |
| World | S-1-1-0 | Group that includes all members |
| Local | S-1-2-0 | Users who log on local terminals |
| Creator Owner ID | S-1-3-0 | SID replaced by the SID of the user who created a new object |
| Creator Group ID | S-1-3-1 | SID replaced by the primary group SID of the user who created a new object |
© Jones & Bartlett Learning. |
||
If you create a local user named “Fred” on two different Windows computers, each account will have a different SID. To Windows, the users are completely different, even though they share the same username. This uniqueness between machines makes it difficult to synchronize security settings among multiple standalone computers.
Every time a Windows user logs on, the operating system fetches the user’s SID and the SIDs for all groups to which the user is assigned. The operating system also looks up any local rights for this computer. All of the SIDs and local rights are written to an ID object called your Security Access Token (SAT). Your session’s SAT is attached to all your processes. When you run any process, Windows looks at the SAT and any defined access control information for resources to decide whether to grant or deny access to any requested resources.
Access Rules, Rights, and Permissions
Defining local users and groups is only the first part of the access control implementation process. Windows allows you to associate specific rights and permissions to each user that tell Windows what a user can do. User rights define tasks that a user is permitted to carry out, such as take ownership of objects or shut down the computer. Permissions define what a user can do to a specific object, such as read or delete the object. Windows stores access rules, or permissions, for resources (objects) in access control lists (ACLs). Each object has an associated ACL and can be used to allow or deny access to the object by user or group. The most common use of ACLs to the general user is to protect files or folders. The Properties dialog box of Files and Folders contains a Security page, which allows you to change the object’s access permissions for specific users or groups. The collection of access permissions for each object is called the object’s ACL. Windows uses the SAT attached to the currently running process and the ACLs defined for a requested resource to decide whether to grant or deny the requested access.