Which of the Following Is Not a Security Principal That Can Be Assigned Permissions?
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Security Principals
In this article
Applies to
- Windows x
- Windows Server 2016
This reference topic for the It professional person describes security principals in regards to Windows accounts and security groups, in addition to security technologies that are related to security principals.
What are security principals?
Security principals are whatsoever entity that tin can be authenticated by the operating arrangement, such every bit a user business relationship, a computer account, or a thread or process that runs in the security context of a user or calculator account, or the security groups for these accounts. Security principals have long been a foundation for controlling access to securable resources on Windows computers. Each security master is represented in the operating system by a unique security identifier (SID).
The following content applies to the versions of Windows that are designated in the Applies To listing at the start of this topic.
How security principals piece of work
Security principals that are created in an Active Directory domain are Active Directory objects, which can be used to manage admission to domain resource. Each security main is assigned a unique identifier, which it retains for its unabridged lifetime. Local user accounts and security groups are created on a local computer, and they can exist used to manage admission to resource on that figurer. Local user accounts and security groups are managed by the Security Accounts Manager (SAM) on the local reckoner.
Authorization and admission control components
The following diagram illustrates the Windows say-so and access control process. In this diagram, the subject (a procedure that is initiated by a user) attempts to admission an object, such as a shared binder. The information in the user'due south access token is compared to the access command entries (ACEs) in the object's security descriptor, and the access decision is made. The SIDs of security principals are used in the user's admission token and in the ACEs in the object's security descriptor.
Authorization and admission control process
Security principals are closely related to the following components and technologies:
-
Security identifiers
-
Access tokens
-
Security descriptors and access control lists
-
Permissions
Security identifiers
Security identifiers (SIDs) provide a fundamental edifice block of the Windows security model. They piece of work with specific components of the authorisation and admission command technologies in the security infrastructure of the Windows Server operating systems. This helps protect admission to network resources and provides a more secure calculating environment.
A SID is a value of variable length that is used to uniquely identify a security primary that represents any entity that tin be authenticated by the system. These entities include a user account, a figurer account, or a thread or process that runs in the security context of a user or figurer account. Each security principal is automatically assigned a SID when information technology is created. The SID is stored in a security database. When a SID is used equally the unique identifier for a user or grouping, it can never exist used to identify another user or group.
Each time a user signs in, the arrangement creates an access token for that user. The access token contains the user'due south SID, user rights, and the SIDs for groups that the user belongs to. This token provides the security context for any deportment the user performs on that computer.
In addition to the uniquely created, domain-specific SIDs that are assigned to specific users and groups, at that place are well-known SIDs that place generic groups and generic users. For example, the Everyone and the Earth SIDs identify groups that includes all users. Well-known SIDs have values that remain abiding beyond all operating systems.
Access tokens
An admission token is a protected object that contains data about the identity and user rights that are associated with a user account.
When a user signs in interactively or tries to make a network connectedness to a computer running Windows, the sign-in process authenticates the user's credentials. If authentication is successful, the process returns a SID for the user and a list of SIDs for the user's security groups. The Local Security Say-so (LSA) on the calculator uses this information to create an access token (in this case, the chief access token). This includes the SIDs that are returned past the sign-in process and a listing of user rights that are assigned past the local security policy to the user and to the user's security groups.
After the LSA creates the chief access token, a copy of the access token is fastened to every thread and process that executes on the user'southward behalf. Whenever a thread or procedure interacts with a securable object or tries to perform a organisation chore that requires user rights, the operating organization checks the access token that is associated with the thread to determine the level of dominance.
There are two kinds of admission tokens, primary and impersonation. Every process has a primary token that describes the security context of the user account that is associated with the procedure. A primary admission token is typically assigned to a process to stand for the default security information for that process. Impersonation tokens, on the other mitt, are usually used for client and server scenarios. Impersonation tokens enable a thread to run in a security context that differs from the security context of the process that owns the thread.
Security descriptors and access command lists
A security descriptor is a information structure that is associated with each securable object. All objects in Active Directory and all securable objects on a local estimator or on the network have security descriptors to help control access to the objects. Security descriptors include information nearly who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the admission command list (ACL) of an object, which includes all of the security permissions that utilise to that object. An object's security descriptor can contain 2 types of ACLs:
-
A discretionary access control listing (DACL), which identifies the users and groups who are allowed or denied admission
-
A system access control list (SACL), which controls how admission is audited
You can use this access control model to individually secure objects and attributes such as files and folders, Active Directory objects, registry keys, printers, devices, ports, services, processes, and threads. Because of this individual control, you can adapt the security of objects to encounter the needs of your organization, delegate authority over objects or attributes, and create custom objects or attributes that require unique security protections to be defined.
Permissions
Permissions enable the possessor of each securable object, such as a file, Active Directory object, or registry key, to command who tin perform an functioning or a ready of operations on the object or object property. Permissions are expressed in the security architecture as admission control entries (ACEs). Because access to an object is at the discretion of the object's owner, the type of admission control that is used in Windows is called discretionary admission control.
Permissions are unlike from user rights in that permissions are attached to objects, and user rights employ to user accounts. Administrators tin assign user rights to groups or users. These rights authorize users to perform specific actions, such as signing in to a organisation interactively or backing up files and directories.
On computers, user rights enable administrators to control who has the authorization to perform operations that affect an entire calculator, rather than a detail object. Administrators assign user rights to private users or groups as role of the security settings for the estimator. Although user rights can be managed centrally through Group Policy, they are applied locally. Users can (and usually practice) take different user rights on different computers.
For data about which user rights are available and how they tin exist implemented, encounter User Rights Assignment.
Security context in hallmark
A user business relationship enables a user to sign in to computers, networks, and domains with an identity that can exist authenticated past the computer, network, or domain.
In Windows, any user, service, group, or computer that can initiate activity is a security chief. Security principals have accounts, which can exist local to a computer or domain-based. For example, domain-joined Windows client computers can participate in a network domain by communicating with a domain controller, even when no user is signed in.
To initiate communications, the computer must have an active account in the domain. Earlier accepting communications from the computer, the Local Security Authority on the domain controller authenticates the computer's identity and so defines the estimator's security context just as information technology would for a user's security principal.
This security context defines the identity and capabilities of a user or service on a item calculator, or of a user, service, group or computer on a network. For instance, it defines the resources (such every bit a file share or printer) that can be accessed and the deportment (such equally Read, Write, or Modify) that can be performed by a user, service, or computer on that resource.
The security context of a user or computer can vary from 1 computer to another, such as when a user authenticates to a server or a workstation other than the user's master workstation. It can besides vary from 1 session to some other, such as when an administrator modifies the user'due south rights and permissions. In addition, the security context is ordinarily different when a user or reckoner is operating on a stand-alone basis, in a mixed network domain, or as part of an Agile Directory domain.
Accounts and security groups
Accounts and security groups that are created in an Active Directory domain are stored in the Agile Directory database and managed by using Active Directory tools. These security principals are directory objects, and they can be used to manage access to domain resource.
Local user accounts and security groups are created on a local computer, and they tin be used to manage access to resources on that figurer. Local user accounts and security groups are stored in and managed by the Security Accounts Director (SAM) on the local reckoner.
User accounts
A user account uniquely identifies a person who is using a computer organisation. The business relationship signals the organization to enforce the appropriate authorization to let or deny that user access to resources. User accounts tin can exist created in Active Directory and on local computers, and administrators use them to:
-
Represent, identify, and authenticate the identity of a user. A user account enables a user to sign in to computers, networks, and domains with a unique identifier that can be authenticated by the reckoner, network, or domain.
-
Authorize (grant or deny) access to resources. After a user has been authenticated, the user is authorized access to resources based on the permissions that are assigned to that user for the resource.
-
Audit the actions that are carried out on a user account.
Windows and the Windows Server operating systems have born user accounts, or you can create user accounts to run into the requirements of your organization.
Security groups
A security group is a collection of user accounts, computer accounts, and other groups of accounts that tin can exist managed as a single unit of measurement from a security perspective. In Windows operating systems, there are several born security groups that are preconfigured with the appropriate rights and permissions for performing specific tasks. Additionally, yous tin can (and, typically, will) create a security grouping for each unique combination of security requirements that applies to multiple users in your organization.
Groups can be Agile Directory-based or local to a particular computer:
-
Agile Directory security groups are used to manage rights and permissions to domain resources.
-
Local groups exist in the SAM database on local computers (on all Windows-based computers) except domain controllers. You employ local groups to manage rights and permissions only to resource on the local computer.
By using security groups to manage admission command, you lot can:
-
Simplify administration. You tin can assign a common prepare of rights, a common set of permissions, or both to many accounts at one time, rather than assigning them to each business relationship individually. Also, when users transfer jobs or leave the organization, permissions are not tied to their user accounts, making permission reassignment or removal easier.
-
Implement a office-based access-control model. You can use this model to grant permissions by using groups with dissimilar scopes for appropriate purposes. Scopes that are available in Windows include local, global, domain local, and universal.
-
Minimize the size of access control lists (ACLs) and speed security checking. A security grouping has its own SID; therefore, the group SID tin can be used to specify permissions for a resource. In an environment with more than a few thousand users, if the SIDs of individual user accounts are used to specify admission to a resource, the ACL of that resource can go unmanageably large, and the time that is needed for the system to bank check permissions to the resources tin go unacceptable.
For descriptions and settings information nigh the domain security groups that are defined in Agile Directory, come across Active Directory Security Groups.
For descriptions and settings information most the Special Identities group, come across Special Identities.
See also
- Admission Control Overview
0 Response to "Which of the Following Is Not a Security Principal That Can Be Assigned Permissions?"
Post a Comment