This is three part series. Following is the breakdown of this series:
- First Part: General Windows Security Concepts
- Second Part: .Net classes for handling windows security
- Third Part: Sample code for adding/deleting user in windows shared folder security
Users and Groups
In Windows NT/2000/XP/2003 and now in VISTA every process runs in a security context. Every process is associated with a Windows Identity that is called a prinicipal. Whenever a process access a resource (file, directory, registry, event, mutex ..), principal is checked against resource's access rule. For now you can think resource's access rules as a table which identifies which user/group has which type of rights on the resource. In above line, I mentioned user/group because Windows presents notion of Group. Every user must belong to one or several groups.
Session Logon
A new Session Logon is created as soon as user logs in the system. Session contains security token. Whenever user launches a process (or process launch a new process), new process inherit security token and runs in security context of user or parent process. Windows automatically creates three session logon whenever it starts up: System Session, Local Session and Network Session.
Windows Security Identifier (SID)
Windows internally indentifies each user or group by its SID. It is a unique number and looks like a GUID, but actually this is not GUID. It has certain pattern which conforms to Security Descriptor Definition Language (SDDL). For example SID "S-1-5-21-790525478-1425521274-725345543-500" represent administrator account on my laptop. Usually SID which ends up with 500 belongs to built in administrator group. Windows has some default SIDs which are called Well-Known SIDs. Following list identifies some important Well-Known SIDs:
Anonymous Logon | A user who has connected to the computer without supplying a user name and password. | ||||
Authenticated Users | Includes all users and computers whose identities have been authenticated. Authenticated Users does not include Guest even if the Guest account has a password. | ||||
Everyone | On computers running Windows XP Professional, Everyone includes Authenticated Users and Guest. On computers running earlier versions of the operating system, Everyone includes Authenticated Users and Guest plus Anonymous Logon. | ||||
| Includes all users who have logged on to a Terminal Services server that is in Terminal Services version 4.0 application compatibility mode. | ||||
Windows Security Descriptor
Window Security Descriptor is the core of window security (at least from the developer point of view) and every resource must have security descriptor as soon as it is created. On msdn, you can find several documents explaining Win32 Security Descriptor in details. Following is the breakdown of SD structure:
- Owner SID
- Group (optional, adopted from posix security structure)
- Control Flags
- DACL (Discretionary access control list)
- SACL (System access control list)
DACL
DACL is the ordered list/array of Access Control Elements (ACE). ACE is basically the rights or permissions assigned to user or group. There are two type of ACE: Allow and Deny. It can be understand by a very basic example. Suppose a user has only read-allow permission on a directory. This "only read-allow" permission cannot stop him from creating a new file/directory or even from deleting the directory. For proper read only permissions, user must be given "write-deny" permission also. It is important to note that ACEs are evaluated in the order that they are stored in the DACL. Windows does not necessarily evaluate all ACEs during an access right request.
SACL
SACL is another list of ACE. In normal scenarios, developer may not need to handle this list. ACEs in SACL are used for audit permissions. For example: rights grant event should be logged or not.
No comments:
Post a Comment