Previous Page | Next Page

  1. Introduction
  2. Capabilities
  3. Structure
  4. The Registry
  5. System and Configuration Files
  6. Security
  7. Application Support
  8. Requirements
  9. Installation
  10. Unattended Installation
  11. Booting
  12. Filesystems
  13. Programs
  14. Control Panel
  15. Tool
  16. Commands
  17. Customization
  18. Environment Variables
  19. Printing
  20. Performance
  21. System Services
  22. Permissions
  23. Groups
  24. User Rights and Auditing
  25. User Profiles
  26. Policies
  27. Network Model
  28. Resource Access
  29. Network Browsing
  30. Protocol Support
  31. RAS
  32. Networking
  33. Backups
  34. Events
  35. Error Handling
  36. Diagnostic Tools
  37. Items to Memorize
  38. Terms
  39. Credits

Windows NT Workstation Security

Windows NT security features:

  • Logon Characteristics:
    • Mandatory Logon
    • Restricted user mode - User mode programs can't run during logon.
    • Physical logon - The CTRL-ALT-DEL sequence forces physical logon at the local terminal.
  • Memory protection
  • Auditing
  • Limited Network Access

NT security is provided by the Security Reference Monitor executive service. When a user attempts to access files, this part of the system will be sure they have permission before the access is allowed. When a user tries to run a program, and thus perform a function, the security reference monitor will be sure the user has rights to run the program. The term rights are used to refer to the user's ability to perform a function and the term permission is used to refer to a user's ability to access a resource such as a file or printer, but sometimes the terms are used interchangeably.

The NT Logon process

The CTRL-ALT-DEL key combination in NT disables user mode programs so a trojan program cannot intercept the user's name and password during the logon process. No user mode programs can be run until a valid logon has occurred. This is called restricted user mode. The CTRL-ALT-DEL key sequence indicates that there is a physically connected keyboard that the keystrokes are coming from. During the logon process, the Winlogon service passes the user's point of authentication, name, and password to the client/server (CSR) subsystem. The CSR passes the information to the security reference monitor which checks the Security Accounts Manager (SAM) database against the received information to see if the user is authentic. If so, a valid access token is generated and returned back down the line to the processes that sent the information.


Objects contain functions (services) and attributes (data). Every object has a type. Every resource or program is an object. Object types are:

  • directories
  • symbolic links
  • Printers
  • Processes
  • Network shares
  • Ports
  • Devices
  • Windows
  • Files
  • Threads

Each object has an Access Control List (ACL) which defines users and group permissions for the object. Each entry (ACE - Access Control Entry) in an ACL defines the permissions a specific user or group has for the object. Access token attributes are added to the object's ACL. When an object is accessed with given permissions like read and write, other permissions cannot be executed, such as delete, until the object is closed and delete permission is requested.

The Security Access Token

The access token must contain certain attributes or information that the system can use to verify user access and amount of access to resources and programs. Attributes of the access token include:

  • Security ID (SID)- Unique user ID
  • Group IDs
  • User permissions

Account types and where they can be used:

Workgroup modelDomain model
Account LocationLocal registrySAM database on domain controller
Account TypeLocal accountGlobal account

Local accounts are only used to access local resources on one machine. Global accounts may be used to access any resource on a large domain where permission is allowed. In the workgroup model, when a user has an account on a local machine and an account on a remote machine, there is a separate SID at each machine, so the user cannot use their SID from one machine to log onto another. The user must enter a separate logon session on each remote machine and will get a access token for each machine they logon to.

Passwords and User Names

Passwords are case sensitive and can be up to 14 characters. User names are not case sensitive and can be up to 20 characters. User names cannot contain any of the following characters:

" \ / [ ] ; : = | . + ? * < >

Security Types

  • Access Permissions
  • File level - User must be authenticated with User name and password.
  • User-level - The most secure since it requires both a user name and password. I believe this type of security is a reference to the user domain level security where all users are authenticated by the primary domain controller prior to being allowed access to network resources.

Another type of security often mentioned is share level security. This is normally used for peer to peer resource sharing and only a password is required. This is less secure than user or file level security.

Administrative shares

Administrators may view administrative shares from the Control panel server applet by selecting the "Shares" button. The Server Manager may be used on NT server. Adding a $ to the end of a share will make them hidden and you must know the share name thereafter to use the share.

  • Admin$ - This is where the system files were installed, usually C:\WINNT40. Users that can use these shares remotely are administrators, backup operators, and server operators.
  • drive$ - Every partition's root directory followed by a $. Users that can use these shares remotely are administrators, backup operators, and server operators.
  • IPC$ - Named pipes to be used to communicate between systems and programs. It is used to access resources on other computers.
  • Netlogon - Used on domain servers to authenticate users.
  • Print$ - Provides shared printer support.
  • REPL$ - Used on an NT server for directory replication.