The Windows 2000 access control model

This excerpt from "The definitive guide to Windows 2000 security" describes the difference between a privilege and permission, and how and why they're used.

Get a glimpse inside Paul Cooke's e-book "The definitive guide to Windows 2000 security" with this series of book excerpts, courtesy of This excerpt is from Chapter 5, "Configuring access control." Click for the book excerpt series or get the full e-book.

The Windows 2000 access control model

Before delving in, I want to point out that Windows 2000's access control model isn't a whole lot different than the model implemented in Windows NT 4.0. As a result, you might already have a basic comprehension of how to do things such as assign user privileges and set permissions. But do you really know what the difference is between a privilege and permission, how the operating system (OS) uses them, or even why they're necessary?

If you answered no to any of these questions, read on; by the time you've finished this chapter, you should know the answer to these and many other questions. In addition, you'll have a thorough understanding of how Windows 2000 uses both authorization and access control. Even if you answered yes to all three questions, I encourage you to read on because I'll provide the answers to many more questions about the Windows 2000 access control model.

The five principles of access control

To understand how Windows 2000 performs access control, you'll benefit from looking at the five overriding principles that Microsoft used to design the access control mechanisms in Windows 2000. Combined, these principles provide an overview of the basic characteristics of Windows 2000's access control model. Figure 5.1 illustrates the following principles:

  • User-based authorizations
  • Discretionary access control
  • Inheritance of permissions
  • Administrative privileges
  • Auditing of system events

Figure 5.1: The access control model of Windows 2000.

In this chapter, I'll delve well past these principles into many of the constructs that implement this access control model. No matter how complicated some of the details may seem the basic model of access control is predicated on these five simple concepts, which you can always go back to.

User-based authorizations
The access control model in Windows 2000 begins with user-based authorizations. Thus, applications that run on your behalf run with the same set of permissions, authorizations and privileges that you've been granted. As a result, these applications can do only what you're allowed to do. Think for a second about what happens when you run an application such as the Windows Explorer shell. You can access only those files on the system that you're authorized to access, and other users can access only the files on the system that they're authorized to access. Access to an application is controlled by the permissions of the user who is running the application, not the application itself. This setup is advantageous because we know that the OS is in control of enforcing authorizations rather than each and every application developer out there!

Discretionary access control
The next aspect of the Windows 2000 access control model is the use of discretionary access control (DAC). DAC lets users control the permissions on objects that they own. This concept should be pretty familiar to anyone who has ever changed the permissions on a file that he or she wanted to share with someone else. With DAC, you control who has access to the folders, files and other objects that you own.

Inheritance of permissions
Maybe the most powerful of Windows 2000's access control model principles is inheritance of permissions. When you create a new object, you can control the permissions on it by allowing inheritable permissions on the container object. While the previous sentence sounds a little vague, think about what naturally happens when you create a new file in your My Documents folder: The new file takes on the permissions of the folder, and anyone who can access your My Documents folder can also access the new file. This access is possible because by default new objects inherit the permissions of their parents. (I'll talk more about how inheritances are propagated; see "ACE Inheritance.")

Administrative privileges
Another aspect of the Windows 2000 access control model is the concept of administrative privileges. Windows 2000 allows control over which users and/or groups have the right to perform a number of administrative functions or take actions that affect all of a system's resources. Using administrative privileges, you can give one group of users the ability to back up a system and give another group the ability to restore folders and files. If you think this process sounds a lot like user rights assignment, you're correct; Windows 2000 implements administrative privileges as user rights. (I'll cover this aspect of access control in "User Rights Assignments" later in this chapter.)

Auditing of system events
Auditing of system events is the final aspect of Windows 2000's access control model. It allows you to monitor for attempts to circumvent authorizations on resources in your environment and perform actions such as create an audit trail of actions taken by administrators. Microsoft considers the auditing of system events part of the access control model, and I agree. However, it's really a topic unto itself. So although I'll touch on auditing in this chapter when necessary, I'll save the bulk of the discussion until Chapter 6, which I'll devote entirely to auditing.

Click for the next excerpt in this series: How access control works

Click for the book excerpt series or get the full e-book.

Read more on Microsoft Windows software