Learning Guide: Access control

Understand how access control works and get various tips for preventing unauthorized access in this Learning Guide.


Robyn Lorusso, Editor This guide organizes tips and expert advice that will help address your access control issues and concerns. It will take you through access control tools and techniques, and various how-tos for enabling certain permissions and preventing unauthorized access to Windows systems. All of the information in this learning guide applies to Windows 2000, Windows Server 2003 and Windows XP. If any of your questions aren't answered below, ask Hardening Windows expert Roberta Bragg for help, or post your questions in ITKnowledge Exchange.

   Access control overview: How it works
   Access control tools and techniques
   Access control how-tos
   Submit your access control questions




  Access control overview: How it works  Return to Table of Contents

Access control acts as the physical controls that prevent unauthorized access to your Windows systems. After a user is authenticated, Windows uses the authorization and access control technologies to determine if that user should be allowed to access a resource.

In both Windows 2000 and Windows Server 2003, Microsoft defines access control technologies with five overriding principals: User-based authorization, discretionary access control, inheritance of permissions, administrative privileges and auditing of system events.

This access control model ensures authorized use of Windows objects by security principals, which include users and groups that perform actions. Therefore, access control ultimately works to answer the question, "Can [security principal] perform [specified action] on [specified object]?"

In addition to security principals, access control components include security identifiers (SIDs), access tokens, permissions, user rights, security descriptors and access control lists (ACLs).

To start better understanding access control, check out this sampling of book excerpts from The definitive guide to securing Windows 2000 Server, Chapter 5, 'Configuring access control.'


  • Access control model
  • How access control works
  • Security identifiers (SIDs)
  • Well-known SIDs
  • Access rights
  • NTFS permissions
  • AD permissions
  • user rights
  • Access control lists (ACLs)
  • Access control entries (ACEs)
  • Access control best practices
  • More access control book excerpts




  Access control tools and techniques  Return to Table of Contents


  • Tip: Permissions basics for Windows 2000
  • Tip: NTFS default permissions for Windows 2000
  • Expert response: The function of a SID
  • Expert response: Security risks associated with granting permissions in Windows XP
  • Expert response: Domains vs. workgroups for handling sensitive data and file sharing
  • Featured Topic: Troubleshooting access denied error messages
  • Featured Topic: Lock down remote administration




  Access control how-tos  Return to Table of Contents


  • Checklist: How to set account options to limit systems access
  • Tip: How to control network access in five steps
  • Tip: How to implement permissions in Windows 2000/NT
  • Book excerpt: How to lock down remote administration
  • Expert response: How to set NTFS and share permissions on a file server
  • Expert response: How to resolve this conflicting permissions scenario
  • Expert response: How to allow users to modify, but not delete files in various Windows systems
  • Expert response: How to deny access when connecting to a share on a Windows 2003 Server
  • Expert response: How to detect when non-domain laptops are plugged in to Windows Server 2003
  • Expert response: How to solve "cannot copy/access denied" error in Windows XP
  • Expert response: How to hide or deny access to certain shared folders on Windows 2000
  • Expert response: How to set up dual administrative controls for tighter security in Windows 2000
  • Expert response: How to remove specific permissions from an account operator in Windows 2000
  • Expert response: How to check which permissions are assigned to a user or group in Windows 2000
  • Expert response: How to set NTFS permissions on Windows 2000 Terminal Services
  • Expert response: How to prevent certain administrators from editing group policies
  • Expert response: How to use Active Directory to restrict non-admin users from managing computers




  Submit your access control questions  Return to Table of Contents

If you didn't see your access control questions addressed above, ask site expert Roberta Bragg for help. We'll add your question and Roberta's response to this learning guide. Or, ask your peers for help in the ITKnowledge Exchange.



Read more on IT risk management