windows安全之保护对象

Protecting objects

保护对象
Object protection and access logging are the essence of discretionary access control and auditing. The objects that can be 

对象保护和权限登录 随机访问控制和审计的本质目的。windows包含的文件，设备，这个在windows上的对象能被保护。 
protected on Windows include files, devices, mailslots, pipes 
包括 邮筒管道

(named and anonymous), jobs, processes, threads, events, keyed events, event pairs, mutexes, semaphores, shared memory 
作业，进程，线程，事件，关键项目

sections, I/O completion ports, LPC ports, waitable timers, 
扇区，i/o
access tokens, volumes, window stations, desktops, network shares, services, registry keys, printers, Active Directory objects, and 
桌面，网络共享等等
so on— theoretically, anything managed by the 
理论上，被执行对象管理器管理的任何东西都能被保护。

executive object manager. In practice, objects that are not exposed to user mode (such as driver objects) are usually not 

事实上，不暴露在用户模式的对象不用被保护。
protected. Kernel-mode code is trusted and usually uses 

内核模式的代码是被信任的，它通常使用接口连接到对象管理器
interfaces to the object manager that do not perform access checking. Because system resources that are exported to user mode 

，内核不执行权限检查。因为系统资源被输出到用户模式的实现 是当作对象的  ，该对象在内核模式中。  
(and hence require security validation) are 

implemented as objects in kernel mode, the Windows object manager plays a key role in enforcing object security.

这windows对象管理器作用是加强对象的安全

You can view object protection with the WinObj Sysinternals tool (for named objects), shown in Figure 7-5. Figure 7-6 shows the 
你能用WinObj Sysinternals 工具看到对象保护

Security property page of a section object in the user
图片7-6展示安全属性页----在用户会话。

’s session. Although files are the resources most commonly associated with object protection, Windows uses the same security 
虽然文件是资源-----这个资源被对象保护措施关联在一起。

model and mechanism for executive objects as it does 
windows 使用这个一样的安全模型和机制 

for files in the file system. As far as access controls are concerned, executive objects differ from files only in the access methods 

supported by each type of object.

What is shown in Figure 7-6 is actually the object’s        (DACL). We will

图片被展示7-6
describe DACLs in detail in the section “Security descriptors and access control.”
我们将会描述随机访问列表在Security descriptors and access control 章节

You can use Process Explorer to view the security properties of objects by double-clicking a handle in the lower pane view (when 你能使用Process Explorer 看安全对象属性，可以双击一个句柄

configured to show handles). This has the added 

benefit of displaying objects that are unnamed. The Property page shown is the same in both tools, as the page itself is provided 

这个显示对象的属性
by Windows.

To control who can manipulate an object, the security system must first be sure of each user’s identity. This need to guarantee 为了控制谁能操作一个对象，安全的系统必须确定每个用的的标识符，需要生成这个用户的

the user’s identity is the reason that Windows 

requires authenticated logon before accessing any system resources. When a process requests a handle to an object, the object windows需要被授权登录，在访问任何资源以前。当一个进程需要一个句柄链接到一个对象，这个对象

manager and the security system use the caller’s 

对象管理器和安全系统使用调用者的安全识别符
security identification and the object’s security descriptor to determine whether the caller should be assigned a handle that 

和对象的安全描述符确定是否这个调用者可以被分配一个句柄
grants the process access to the object it desires.
软后给它一个进程的权限去处理对象

As discussed later in this chapter, a thread can assume a different security context than that of its process. This mechanism is 
这个会被讨论在之后的章节，一个线程能够使用不同的安全上下文，

called impersonation. When a thread is impersonating, 
当一个线程在模拟时

security validation mechanisms use the thread’s security context instead of that of the thread’s process. When a thread isn’t 
安全验证机制使用线程的安全上下文代替线程的进程

impersonating, security validation falls back on using 

the security context of the thread’s owning process. It’s important to keep in mind that all the threads in a process share the 

same handle table, so when a thread opens an object

—even if it’s impersonating—all the threads of the process have access to the object.

Sometimes, validating the identity of a user isn’t enough for the system to grant access to a resource that should be accessible 
有时候，验证用户的识别符不足以让系统授予权限，用户能访问的资源

by the account. Logically, one can think of a clear 

distinction between a service running under the Alice account and an unknown application that Alice downloaded while browsing 
the

Internet. Windows achieves this kind of intra-user isolation with the Windows integrity mechanism, which implements integrity 
windows实现了 内部用户的隔离，是靠着windows完整性的机制

levels. The Windows integrity mechanism is used by 

windows完整性机制被使用通过UAC

User Account Control (UAC) elevations, User Interface Privilege Isolation (UIPI) and AppContainers, all described later in this chapter.