|
Security Model
All named objects in Windows NT, and some unnamed objects, can be secured. The
security attributes of each securable object in Windows are described by a security descriptor, which contains information about the owner of the object, and by an access-control list (ACL) identifying the users and groups allowed or denied access to the
object. An ACL contains an entry for each user, global group, or local group (alias)
being allowed or denied access to the object. Each of these entries is an access-control entry (ACE).
At logon, a user is assigned an access token containing identifiers that represent the user and any groups to which the
user belongs. Every process run on behalf of this user will have a copy of this
particular access token. When a process attempts to use an object, the system
compares the security attributes listed in the access token with the ACEs in the
object's ACL. The system compares the access token with each ACE until access
is either granted or denied or until there are no more ACEs to check.
Conceivably, several ACEs could apply to a token. And, if this occurs, the access rights granted by each ACE accumulate. For example, if one ACE grants read access to
a group in an access token and another ACE grants write access to the user,
who is also a member of the group, the user will have both read and write access
to the object when the access check is complete.
The following illustration shows the relationship between these blocks of
security information:
Typically, the application protecting an object is a server in that it defines
the users and groups with access to the object. The application interacts with
clients when they attempt to gain access to the object. Users and groups are
identified by security identifiers (SIDs). An SID is a structure of variable length that uniquely identifies a user or
group. SIDs are stored in a security database that an application can query by
calling Win32 functions. With one exception, an SID is used to identify a user
or group is never reassigned to another user or group. For a given account, the
only SID that will not be the same from logon to logon is the logon-identifier
SID. In the model represented by the preceding illustration, SIDs would be
used to identify the following:
- The owner and group in the security descriptor
- The recipient of the access being granted by each ACE
- The user and groups in the access token
Security descriptors, SIDs, and ACLs are treated by applications as opaque
structures and are intended to be manipulated only by using Win32 functions. This
helps ensure that these structures remain syntactically accurate and prevents
future enhancements to the security system from breaking existing code.
Pointers to doubleword values or structures must be aligned on doubleword
boundaries. However, the exception is strings, for which alignment is not critical.
All Win32 memory-allocation functions return handles of doubleword-aligned
memory objects.
| Last news from Greatis Software |
 |
|
Nostalgia .Net |
|
.Net is powerful, but not all-powerful, so sometimes we need to use Win32 API for our .Net applications. It's simple enough with Platform Invoke if you have Win32 skill, but we do not always have time to dig the ancient documentation, declare the special types that are compatible with Win32, find the values of the Win32's constants and so on. Nostalgia .Net offers several simple-to-use classes, and components that will allow you to forget about the headache of Win32 and just use the power of Win32 in your application the same way as you use the native. Net classes. More » |
| Recommended software for developers |
 |
|
Ultimate Pack |
|
Component pack for Delphi and C++ Builder that contains runtime form designer, runtime object inspector, print suite and much more for the very special price. More » |
 |
|
Form Designer .Net |
|
Unique runtime form design solution that allows to edit any form in .Net WinForms application at runtime with full source codes for only 300 euro! More » |
 |
|
Print Suite .Net |
|
Print Suite .Net is a set of components for easy printing texts, images and grids from your WinForms applications. Full C# source codes are available More » |
 |
|
Gradient Controls .Net |
|
Gradient Controls .Net offers controls with gradient background feature. Labels, panels and so on... Full C# source codes are available More » |
 |
|
Greatis iGrid |
|
iGrid plots drawing grid right over your desktop, so you can use it everywhere, with any drawing application without any special plugins for different graphic editors. More » |
All the contacts and projectsDmitry Vasiliev (just.dmitry)
Related LinksSoftware for Visual Studio .NET developers
Software for Delphi and C++ Builder developers
Software for Visual Basic 6 developers
Delphi Tips&Tricks
MegaDetailed.NET More Online Helps Win32 Programmer's Reference
Win32 Multimedia Programmer's Reference
OLE Programmer's Reference
Microsoft Windows Pen API Programmer's Reference
Microsoft Windows Sockets 2 Reference
Microsoft Windows Telephony API (TAPI) Programmer's Reference
Unix Manual Pages
|
