Understanding Windows NT Security
Anything you do in Windows NT involves some type of security check. If you attempt to access a file, a security check occurs. If you try to log on to a workstation, a security check occurs. When using Windows NT as a desktop operating system, these security checks are generally invisible because in most situations you log on to your own machine with administrator privileges and never encounter any permission issues. These security checks also include access by other Windows NT machines as well. For example, if another machine attempts to access a data file or other resource, a security check also occurs.
The Windows NT operating system provides a number of primary security functions to control access to your enterprise application, including those listed in the following table:
| Function | Description | Discussed in this Chapter |
| User and group management | Controls network log on and log off rights, both local and remote, for users, groups, and administrators. | Controlling User Access |
| Security policy definitions | Defines user and group rights (such as password aging, default access permissions, and audit policies). | Controlling User Access |
| File and object access | Protects files and directories, including removable media. This includes protecting the files that make up the operating system itself. | Protecting Files |
| Registry access | Protects registry settings from remote tampering. | Securing the Windows NT Registry |
With these Windows NT security functions, you can control access to all Windows NT object types, including all of your application's elements and resources. The list of securable object types is extensive, and includes the following:
- Local or remote Windows NT file system (NTFS) files and directories
- Processes and threads
- Named and anonymous pipes
- Console screen buffers
- File-mapping objects
- Access tokens
- Mail slots
- Registry keys
- Local or remote printers
- Windows NT network shares
- Windows NT Services
- Interprocess synchronization objects
Your enterprise application might not be concerned with access permissions for each of these objects. However, for a difficult security implementation, it's useful to know that you can not only define these permissions as administrator, but your application can also set object access permissions programmatically.
Knowing how Windows NT security works is important when you need to implement protection for an enterprise application. Because Internet Information Server allows Web browsers to access files on a Windows NT system, it is especially important to understand the unique security requirements of a Web application.
For More Information Securing Your Web Application, in this chapter, lists topics with information on security in the Web context. For more information on Windows NT operating system security, search for "Windows NT Security in Theory and Practice" in MSDN Library Visual Studio 6.0. For a complete cross-reference of online security topics, search for "Windows NT Security Features" in MSDN Library Visual Studio 6.0.