ACM (Access Control Model), security descriptors (Security Descriptor), access tokens (access token)

Source: Internet
Author: User
Reposted from http://blog.csdn.net/xujiezhige/article/details/6334896, which has been modified. Visit the original address.

To put it simply, the user obtains access tokens when logging on to the system and wants to open a security object (process, etc.) by traversing the SID in the ACL (SID indicates the permission of the security object ), determine whether it meets the requirements. If yes, open the token and send it to the security object so that it can also open other security objects. (I understand, but I have not made any further efforts ).

Access control mode (ACM) is composed of two parts. One is access tokens, and the other is Security Identifiers ).

 

An access token is the information used by the process to access the data that indicates its identity and privilege.

The security descriptor is the security information of the security object to be accessed. Such as what kind of user access requests can be allowed, and what kind of user or group access is to be rejected.


  • Security Identifiers (SID)

I often hear Sid. What is Sid? According to msdn, Sid is the unique value used to identify the trustful Party, and its length is variable. The trusted party is the user, group, and session. Therefore, we can basically regard Sid as a user name, a group name, and a session name. They are only certified for security and will not be repeated, that is, they are secure and reliable. If we mention the SID of Michael, we can understand it as "Michael (real)".



  • Security descriptors (Security Descriptor)

Msdn says the Security Descriptor contains the security information that describes a security object. In fact, this sentence is correct, but it is probably true. Let's take a look at what the security descriptor describes?

 

Security descriptors include:

1. Sid of the owner of the security object associated with the security descriptor and Sid of the main group of the owner

2. a dacl (Discretionary Access Control List)

3. a sacl (system access control list)

4. A set of control bits that match the meaning of the Security Descriptor

 

The first point does not need to be mentioned. The second and third points refer to the following ACL for detailed explanation. DACL and SACL are two types of ACL. The fourth point is unknown.

  • ACL (Access Control List, access control list)

The ACL includes two types of access control lists, but the basic format of the List is the same, that is, the List entry (also called the access control entry, Ace, access control entry ). The two security control lists are:

 

1. DACL (Free Access Control List)

Just like its name, DACL is a free (corresponding) access control list that shows everyone else. What does this mean? Let's take a look at what is in DACL. You can see it clearly.

 

 

 

I believe that I can understand more than half of this image. A dacl is a list, and each list entry (ACE) is an access control instruction for a Sid, which describes whether the SID is denied or allowed. If yes, what permissions are granted to this Sid. Of course, this figure is very vivid, but in reality Ace is not a string. What is the ace like?

Ace actually consists of four parts, but the above picture is too good.

The four parts are:

1. Access to a user SID of this ace (corresponding to Andrew)

2. the user's access permission mask (read, write, execute)

3. There are three ace types in total. Access-denied ace, access-allowed ace, system-Audit ace. The first two are DACL and the last is SACL.

4. Can this ace be inherited by other security objects.

 

How does DACL work?

As shown in the following figure, a thread accesses a secure object (securable object is a kernel object with a security descriptor. For details, refer to msdn). To show your own token, set the user SID of access tokens, the Group Sid and related permissions are compared with the corresponding data items of each ace in the DACL until an ace is compared to explicitly allow the operations required by this thread, you can also explicitly deny the access request of this thread, or you cannot find any of the above cases to end up, then the default deny. The comparison of the linked list is sequential from start to end. If the sequence of the linked list changes, the original access request results may change.

For example, if the order of ace3 and ace1 is changed, the request of thread a is allowed. So the order is very important. So if you want to build a DACL for a security descriptor, the programmer should be cautious when using APIs to add an ace. Note that an ace is always added at the end of a linked list when you add an API function.

 

Ace inheritance has not been fully studied and is currently stranded!

 

2. SACL (system access control list)

 

What is SACL? It is actually an audit center. The list lists the types of access requests that need to be recorded by the system. Once a user accesses a security object, the access permission requested by the user matches an ace in the SACL, the system will record whether the user's request is denied or allowed. In the future, security objects may issue warnings for unauthorized user access, as mentioned in msdn.

  • Access tokens (access token)

We can understand the access token in this way, but we should first introduce the complete concept.

The access token contains 12 items:

  1. Security ID of the current user (described later ),
  2. The Security ID of the group to which the current user belongs.
  3. The Security ID of the authorized session.
  4. A list of all privileges of a user (including the user itself and the group to which the user belongs ).
  5. The Security ID of the token owner.
  6. Security ID of the user's main group.
  7. Default Free Access Control List (will be introduced later ).
  8. Source Access Token
  9. Indicates whether the token is a source token or a simulated token.
  10. Optional linked list, indicating which Sid is restricted by this token
  11. Current simulated token level
  12. Other data

When you see so many data items, you should know how much security measures will cost.

An access token describes the Security Information of a process or thread. This information indicates the identifier and privilege of the user associated with the process or thread. When a user logs on to the system, the system compares the user password with the response password in the system database. If the verification succeeds, the system generates an access token for the user. In the future, all the threads opened by this user will inherit from this token. Use this token to access the security object. (The access token obtained by the Administrator after logging on to Windows Vista is different from the token started by the Administrator. The process token is filtered, in other words, to reduce the permission, the process must send an application to obtain the Administrator's access token (or club permission). The system displays a dialog box to check whether the program can be started in this way .)

 

Each process has at least one access token, that is, the master access token. Why is it the master? Some processes may simulate another user and obtain another User Token, which is the simulated token. The system reviews the access and security objects of processes and uses the primary access token. The specific information is unknown for the moment.

 

This is basically a preliminary understanding of Windows ACM.

To put it simply, the user obtains access tokens when logging on to the system and wants to open a security object (process, etc.) by traversing the SID in the ACL (SID indicates the permission of the security object ), determine whether it meets the requirements. If yes, open the token and send it to the security object so that it can also open other security objects. (I understand, but I have not made any further efforts ).

Access control mode (ACM) is composed of two parts. One is access tokens, and the other is Security Identifiers ).

 

An access token is the information used by the process to access the data that indicates its identity and privilege.

The security descriptor is the security information of the security object to be accessed. Such as what kind of user access requests can be allowed, and what kind of user or group access is to be rejected.


  • Security Identifiers (SID)

I often hear Sid. What is Sid? According to msdn, Sid is the unique value used to identify the trustful Party, and its length is variable. The trusted party is the user, group, and session. Therefore, we can basically regard Sid as a user name, a group name, and a session name. They are only certified for security and will not be repeated, that is, they are secure and reliable. If we mention the SID of Michael, we can understand it as "Michael (real)".



  • Security descriptors (Security Descriptor)

Msdn says the Security Descriptor contains the security information that describes a security object. In fact, this sentence is correct, but it is probably true. Let's take a look at what the security descriptor describes?

 

Security descriptors include:

1. Sid of the owner of the security object associated with the security descriptor and Sid of the main group of the owner

2. a dacl (Discretionary Access Control List)

3. a sacl (system access control list)

4. A set of control bits that match the meaning of the Security Descriptor

 

The first point does not need to be mentioned. The second and third points refer to the following ACL for detailed explanation. DACL and SACL are two types of ACL. The fourth point is unknown.

  • ACL (Access Control List, access control list)

The ACL includes two types of access control lists, but the basic format of the List is the same, that is, the List entry (also called the access control entry, Ace, access control entry ). The two security control lists are:

 

1. DACL (Free Access Control List)

Just like its name, DACL is a free (corresponding) access control list that shows everyone else. What does this mean? Let's take a look at what is in DACL. You can see it clearly.

 

 

 

I believe that I can understand more than half of this image. A dacl is a list, and each list entry (ACE) is an access control instruction for a Sid, which describes whether the SID is denied or allowed. If yes, what permissions are granted to this Sid. Of course, this figure is very vivid, but in reality Ace is not a string. What is the ace like?

Ace actually consists of four parts, but the above picture is too good.

The four parts are:

1. Access to a user SID of this ace (corresponding to Andrew)

2. the user's access permission mask (read, write, execute)

3. There are three ace types in total. Access-denied ace, access-allowed ace, system-Audit ace. The first two are DACL and the last is SACL.

4. Can this ace be inherited by other security objects.

 

How does DACL work?

As shown in the following figure, a thread accesses a secure object (securable object is a kernel object with a security descriptor. For details, refer to msdn). To show your own token, set the user SID of access tokens, the Group Sid and related permissions are compared with the corresponding data items of each ace in the DACL until an ace is compared to explicitly allow the operations required by this thread, you can also explicitly deny the access request of this thread, or you cannot find any of the above cases to end up, then the default deny. The comparison of the linked list is sequential from start to end. If the sequence of the linked list changes, the original access request results may change.

For example, if the order of ace3 and ace1 is changed, the request of thread a is allowed. So the order is very important. So if you want to build a DACL for a security descriptor, the programmer should be cautious when using APIs to add an ace. Note that an ace is always added at the end of a linked list when you add an API function.

 

Ace inheritance has not been fully studied and is currently stranded!

 

2. SACL (system access control list)

 

What is SACL? It is actually an audit center. The list lists the types of access requests that need to be recorded by the system. Once a user accesses a security object, the access permission requested by the user matches an ace in the SACL, the system will record whether the user's request is denied or allowed. In the future, security objects may issue warnings for unauthorized user access, as mentioned in msdn.

  • Access tokens (access token)

We can understand the access token in this way, but we should first introduce the complete concept.

The access token contains 12 items:

  1. Security ID of the current user (described later ),
  2. The Security ID of the group to which the current user belongs.
  3. The Security ID of the authorized session.
  4. A list of all privileges of a user (including the user itself and the group to which the user belongs ).
  5. The Security ID of the token owner.
  6. Security ID of the user's main group.
  7. Default Free Access Control List (will be introduced later ).
  8. Source Access Token
  9. Indicates whether the token is a source token or a simulated token.
  10. Optional linked list, indicating which Sid is restricted by this token
  11. Current simulated token level
  12. Other data

When you see so many data items, you should know how much security measures will cost.

An access token describes the Security Information of a process or thread. This information indicates the identifier and privilege of the user associated with the process or thread. When a user logs on to the system, the system compares the user password with the response password in the system database. If the verification succeeds, the system generates an access token for the user. In the future, all the threads opened by this user will inherit from this token. Use this token to access the security object. (The access token obtained by the Administrator after logging on to Windows Vista is different from the token started by the Administrator. The process token is filtered, in other words, to reduce the permission, the process must send an application to obtain the Administrator's access token (or club permission). The system displays a dialog box to check whether the program can be started in this way .)

 

Each process has at least one access token, that is, the master access token. Why is it the master? Some processes may simulate another user and obtain another User Token, which is the simulated token. The system reviews the access and security objects of processes and uses the primary access token. The specific information is unknown for the moment.

 

This is basically a preliminary understanding of Windows ACM.

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.