NT Security

The protection mechanism has been around since Windows NT and thus it is called NT security.  It uses a lock and key concept.  The lock is a kind of access control and the keys are rights.  There are mulitple level of permission associated with most resources to provide fine grain control.

A user has personal rights that are assigned by administrator.  A user can belong to group which all share the same rights.  The user's access is limited to the combination of group and individual rights that the administrator assigned.

Rights can be assigned by administrator.  Likewise, developer can write code that sets Windows securotu for particular objects, calls and portions of an application.  Changes by the administraor or developer affect the rights required to perform sepecific tasks using resources such as a file.  the right to write to a file is separate from the right to read from the file.

User level access depends on Security Identifier (SID).  When a user logs in, Windows assigns an access token and place the user's SID (stored in DC) in it.  The access token contains DACL (Discretionary Access Control List) and SACL (System Access Control List).  The combination of SID and ACL in the access token allows the user access to certain resources.  As the access token is session based, user need to logoff and re-login to gain addition rights assigned by administrator during the session.

The lock is called securty descriptor on resources.  The security descriptor tells what rights the user needs to access the resource.  If the ACL meets or exceeds the rights in the security decsriptor, the lock opens.