The Access Control ProcessNow that you are familiar with users, groups, and permissions, take another look at the access control process. The access control process examines a request for access and grants or denies access. The following steps take place:
Let's look at an example of this in practice. User Joe wants to open a Word document, budget.doc, for reading and writing. He double-clicks the file in Windows Explorer. The access control list on the file and the SIDs in his access token are listed in Figure 3-21. The ACL on budget.doc contains the ACEs as listed in the box labeled "Access Control List," while Joe's access token contains the SIDs in the box labeled "Access Token." Because it's easier for us to look at names instead of SIDs, no actual SIDs or other numerical representations are listed. The real access token and ACL would look much different but would evaluate to the same information and produce the same result. The ACL contains ACEs that are composed of SIDs and the access rights granted. The access token includes the account SID and the SIDs of groups of which the account is a member. Figure 3-21. An example ACL and Access Token for comparison.![]()
Use the resource kit tool Show Privilege to determine what rights and privileges a user has on a computer. Use the resource kit tool whoami to show the contents of the access token for the currently logged on user. Managing Proprietary InformationA new component, Rights Management Solutions (RMS), can be used to influence management of proprietary information on Windows systems. RMS is a client/server application development environment. On Windows Server 2003, the core elements of the RMS service manage licensing, machine activation, enrollment, and administrative functions. Client-side development uses native APIs for Windows 98 Second Edition and later clients. Applications that restrict authorization to copy, use, download, and otherwise manipulate licensed software and digital documents and recordings can be centrally controlled. For more information, the document "Microsoft Rights Management Solutions for the Enterprise: Persistent Policy Expression and Enforcement for Digital Information" can be downloaded from http://www.microsoft.com/windowsserver2003/techinfo/overview/rm.mspx. |