The access control model enables you to control the ability of a process to access securable objects or to perform various system administration tasks.(访问控制模型可以帮助你控制进程访问安全对象的能力或者执行复杂的系统管理任务。)
1.Parts of the Access Control Model
There are two basic parts of the access control model:
- Access tokens, which contain information about a logged-on user
- Security descriptors, which contain the security information that protects a securable object
(访问控制模型由两个基本组成部分:1.访问令牌,包含了一个已登陆用户的信息;2.安全描述符,包含了保护一个安全对象的安全信息)
When a user logs on, the system authenticates the user's account name and password. If the logon is successful, the system creates an access token. Every process executed on behalf of this user will have a copy of this access token. The access token contains security identifiers that identify the user's account and any group accounts to which the user belongs. The token also contains a list of the privileges held by the user or the user's groups. The system uses this token to identify the associated user when a process tries to access a securable object or perform a system administration task that requires privileges.
(当用户登录时,系统认证用户的账户名和密码。如果登陆成功,系统创建一个访问令牌。用户执行的每一个进程都将拥有这个访问令牌的一个拷贝。访问令牌包含了用户账户和用户所从属的组的安全标识符。访问令牌还包含了用户或用户组拥有的特权列表。当进程尝试访问安全对象或者执行一个需要特权的系统管理任务时,系统使用访问令牌来识别相应的用户。)
When a securable object is created, the system assigns it a security descriptor that contains security information specified by its creator, or default security information if none is specified. Applications can use functions to retrieve and set the security information for an existing object.
(当创建一个安全对象时,系统分配一个包含了安全对象的创建者特定的安全信息的安全描述符,如果创建者没有特定安全信息,那么这个安全描述符泽包含默认安全信息。应用程序可以使用函数来获取或者设置一个安全对象的安全信息。)
A security descriptor identifies the object's owner and can also contain the following access control lists:
- A discretionary access control list (DACL) that identifies the users and groups allowed or denied access to the object
- A system access control list (SACL) that controls how the system audits attempts to access the object
安全描述符指明了对象所有者,并且包含以下访问控制列表:
- 一个自主访问控制列表,标识出允许或者拒绝对安全对象访问的用户或者组
- 一个系统访问控制列表,控制系统如何审计尝试访问安全对象的行为
An ACL contains a list of access control entries (ACEs). Each ACE specifies a set of access rights and contains a SID that identifies a trustee for whom the rights are allowed, denied, or audited. A trustee can be a user account, group account, or logon session.
(访问控制列表包含了ACE列表。每个ACE指定了一系列访问权限,并且包含了一个SID,这个SID指明了一个允许访问权限或者拒绝访问权限或者审计权限的信任凭证。一个信任凭证可以是用户账户、组账户或者登陆会话。)
Use functions to manipulate the contents of security descriptors, SIDs, and ACLs rather than accessing them directly. This helps ensure that these structures remain syntactically accurate and prevents future enhancements to the security system from breaking existing code.
(我们应该使用函数去操作安全描述符、SID和访问控制列表,而不是直接访问它们。这将有助于确保这些数据结构保持语法上的准确,并且防止将来增强安全系统免受破坏现存代码带来的破坏。)
Securable Objects
A securable object is an object that can have a security descriptor. All named Windows objects are securable. Some unnamed objects, such as process and thread objects, can have security descriptors too. For most securable objects, you can specify an object's security descriptor in the function call that creates the object. For example, you can specify a security descriptor in the CreateFile and CreateProcess functions.
(安全对象就是拥有安全描述符的对象。所有Windows命名对象都是安全对象。一些未命名的对象,比如进程对象和线程对象,也可以拥有安全描述符。对于大多数安全对象,我们可以在创建对象的时候给这个对象指定一个安全描述符。比如,我们可以在CreateFile和CreateProcess中指定安全描述符。)
In addition, the Windows security functions enable you to get and set the security information for securable objects created on operating systems other than Windows. The Windows security functions also provide support for using security descriptors with private, application-defined objects. For more information about private securable objects, see Client/Server Access Control.
(除此之外,Windows安全函数可以使你获取和设置除Windows以外的操作系统创建的安全对象的安全信息。Windows安全函数也对在私有、应用定义的对象的安全描述符提供服务。)
Each type of securable object defines its own set of specific access rights and its own mapping of generic access rights. For information about the specific and generic access rights for each type of securable object, see the overview for that type of object.
(每种类型的安全对象定义自己特定的访问权限集合自己的通用访问权限映射。)
The following table shows the functions to use to manipulate the security information for some common securable objects.
Trustees
A trustee is the user account, group account, or logon session to which an access control entry (ACE) applies. Each ACE in an access control list (ACL) has one security identifier (SID) that identifies a trustee.
(trustee可以是ACE适用的用户名、组账户或者登陆会话。访问控制列表中的每个ACE都拥有识别trustee的安全标识符SID。)
User accounts include accounts that human users or programs such as Windows Services use to log on to the local computer.
(用户账户,包括人类用户或者程序用户,比如Windows服务使用来登陆本地计算机。)
Group accounts cannot be used to log on to a computer, but they are useful in ACEs to allow or deny a set of access rights to one or more user accounts.
(组账户不能用来登陆计算机,但他们在ACE允许或者拒绝一些用户账户的访问权限中起到很好的帮助作用。)
A logon SID that identifies the current logon session is useful to allow or deny access rights only until the user logs off.
(用来识别当前登陆会话的登陆SID对允许或拒绝访问权限直到用户注销很有帮助。)
The access control functions use the TRUSTEE structure to identify a trustee. The TRUSTEE structure enables you to use a name string or a SID to identify a trustee. If you use a name, the functions that create an ACE from the TRUSTEE structure perform the task of allocating the SID buffers and looking up the SID that corresponds to the account name. There are two helper functions, BuildTrusteeWithSid and BuildTrusteeWithName, that initialize a TRUSTEE structure with a specified SID or name. BuildTrusteeWithObjectsAndSid and BuildTrusteeWithObjectsAndName allow you to initialize a TRUSTEE structure with object-specific ACE information. Three other helper functions, GetTrusteeForm, GetTrusteeName, and GetTrusteeType, retrieve the values of the various members of a TRUSTEE structure.
(访问控制函数使用TRUSTEE结构体来识别一个trustee。TRUSTEE结构体帮助你使用一个名字字符串或者一个SID来识别一个trustee。如果使用一个名字,那么通过TRUSTEE结构体创建ACE的函数将执行分配SID缓冲区和查询SID相应的账户名的任务。使用指定的SID或者名字创建TRUSTEE有两个帮助函数,BuildTrusteeWithSid和BuildTrusteeWithName。BuildTrusteeWithObjectsAndSid和BuildTrusteeWithObjectsAndName这两个函数可以通过一个指定对象ACE信息来初始化一个TRUSTEE结构体。另外三个函数,GetTrusteeForm、GetTrusteeName和GetTrusteeType,或者TRUSTEE结构体不同成员的值。)
The ptstrName member of the TRUSTEE structure can be a pointer to an OBJECTS_AND_NAME or OBJECTS_AND_SID structure. These structures specify information about an object-specific ACE in addition to a trustee name or SID. This enables functions such as SetEntriesInAcl and GetExplicitEntriesFromAcl to store object-specific ACE information in the Trustee member of the EXPLICIT_ACCESS structure.
(TRUSTEE结构体中的ptstrName成员可以是一个指向OBJECTS_AND_NAME或者OBJECTS_AND_SID结构体的指针。这两个结构体除了指定trustee名字或者SID外,还制定了object-specific ACE的信息。这将使得SetEntriesInAcl和GetExplicitEntriesFromAcl这两个函数存储EXPLICIT_ACCESS结构体重Trustee成员的object-specific ACE的信息。)
注:object-specific ACE是用来支持目录服务对象的。它包含一对用于扩展ACE所保护的对象的行为的GUID。
65
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
