Windows Server 2003 - Security
Home | Editions | Security | Active Directory | Resources | Contents
Get the Book
Major Topics

Other Topics
Active Directory
More Detail

Memory from

2004 Team Approach Limited
All rights reserved


Authentication is the process of identifying a user. This is normally done with a user name and password combination, but it can also be done with a certificate on a smart card and a PIN. Windows security demands a mandatory logon.

If the authentication is successful, a SAT Security Access Token is issued.  The SAT contains SIDs Security IDentifiers for the user and for all groups where the user is a member. SIDs are unique numbers used to identify security principals (eg. users and groups).  A copy of the SAT is attached to every process launched by the user.


  SAT Security Access Token containing user & group SIDs


Once a user is authenticated, the user may wish to access a resource. To obtain access to the resource the user must be authorized to use the resource. In Windows, each resource is protected by a DACL Discretionary Access Control List which defines who has what kind of access to the resource. Windows security is designed as a discretionary access control system. All resources are owned and it is the discretion of the owner as to who else has access to the resource. Owners are accountable for the access to their resource. It is not possible to restrict the owner in this responsibility.

When a resource is accessed by a process, the Windows Security Reference Monitor allows access only if the security principals defined in the SAT are allowed access as defined in the DACL.

The DACL for a folder is accessed by selecting the Security tab in the properties dialog as shown below.



Setting the access permissions in a DACL is the discretion of the owner of the object. The owner can specify that others can change permissions or take ownership. Administrators can take ownership of a resource and then control the DACL. The right to take ownership can be assigned with the Computer Security Policy.

Ownership can be changed with the Advanced Security Settings dialog below.


All security related events can be audited. Examples of events are reading or writing a files, or changing a users password.