CHAPTER 15 SECURING WINDOWS OBJECTS
files, it is also possible to use the Windows Explorer to examine and manage some
security attributes of NTFS objects.
Nearly any object created with a
system call has a security attributes
parameter. Therefore, programs can secure files, processes, threads, events, sema-
phores, named pipes, and so on. The first step is to include a
structure in the call. Until now, our programs have always used a
pointer in calls or have used simply to create inher-
itable handles (Chapter 6). In order to implement security, the important element in
structure is , the pointer to a
security descriptor, which describes the object’s owner and determines which users are
allowed or denied various rights.
An indiv idual process is identified by its access token, which specifies the own-
ing user and group membership. When a process attempts to access an object, the
indows kernel can determine the process’s identity using the token a nd can then
decide from the information in the security descriptor whether or not the process
has the required rights to access the object.
structure was introduced in Chapter 6; for
review, here is the complete structure definition:
should be set to .
indicates whether or not the handle is inheritable by other processes.
The next section describes the security descriptor components.
Security Overview: The Security Descriptor
Analyzing the security descriptor gives a good overview of essential Windows
security elements. This section mentions the various elements and the names of
the functions that manage them, starting with security descriptor structure.
A security descriptor is initialized with the functi
, and it contains the following: