Windows object security

In Windows, objects represent all resources and are usually assigned names. A file is one example of a resource that is a named object. Any named object has an owner and can be secured. The owner is the user or group that has complete control of a resource. The owner specifies who can gain access to a resource and manages the extent of that access.

In Windows, either a user or a group can own an object. This is different from UNIX, in which only a user owns an object.

Windows identifies all users and groups internally by using a security identifier (SID). A hashing algorithm generates SID values that are unique; no two users or groups will have the same SID.

Users and groups that have permission to access an object are identified by their SID. All objects that can be secured by Windows have a discretionary access control list (DACL), which consists of separate entries called access control entries (ACEs). An ACE includes two important pieces of information: a user or group SID, and a description of how much access the individual user or group has to an object.

In Windows, you can use the command-line program called cacls.exe to see the DACL of an object. You can also view permissions using Microsoft Windows Explorer by right-clicking a file or folder, clicking Properties, and then clicking the Security tab.

You must use the NTFS file system to have access to Windows file and directory permissions. The file-allocation table (FAT) file system does not have a built-in mechanism for managing permissions. You can have shared directories on a FAT system, but these shares are completely managed by Windows and have very little security.

In Windows NT, the standard types of file permissions are full control, read, change, and no access. In Windows 2000 and Windows XP, the file permissions are full control, modify, read and execute, read, and write.

In Windows NT, the standard types of directory permissions are no access, list, read, add, add and read, change, and full control. In Windows 2000 and Windows XP, the directory permissions are full control, modify, read and execute, list folder contents, read, and write.

Windows object security is an extensive topic. For more information about it, see Windows Help.