nt-part2_15
Analysis of the Security of Windows NT
1 March 1999
15
SAM (Security Accounts Manager) is responsible for managing information about
accounts for users and usergroups either locally or domain wide depending on its
role. It also provides support for the authentication package, see section 5.3. The
secure accounts are stored as subobject in a database in the registry. This database is
accessed and managed only by SAM. Table 2 shows some of the information stored
in the subobjects [43]. The hash function used to store the passwords is MD4.
3.5 Objects
In NT, both software and hardware resources are represented by objects, e.g. files,
semaphores, timers, threads, processes, and memory. In fact, there are two kinds of
objects [3]:
Microkernel objects which are created by the microkernel and are exported to the
rest of the executive.
Executive objects which are visible in user mode. Most executive objects encapsu-
late (contain) one or more microkernel objects.
3.5.1 Microkernel objects
Microkernel objects, sometimes simply called kernel objects, are the most primitive set
of objects implemented by the kernel and are not user-visible. They provide fundamen-
tal capabilities, that can only be accomplished by the kernel, which resides at the low-
est layer of the OS. There are two types of kernel objects [43]:
Dispatcher objects control scheduling and synchronization. Mutant, Event and
Event Pair, Semaphore, Timer, Thread, Process, and Queue form the set of dis-
patcher objects in NT. These dispatcher objects have a signalled state, allowing
threads to suspend their own execution while waiting for the signalled state to
change.
Control objects are passive objects used for executive and device driver control.
These are not waitable, and therefore, they do not have a signal state. Control
objects include: Interrupts, Device queues, Profiles, Asynchronous Procedure Calls
(APCs), and Deferred Procedure Calls (DPCs).
3.5.2 Executive Objects
The executive provides a number of objects for the servers, e.g. Win32, and WinL-
ogon. These objects, which are listed in Table 3, are called executive objects. They
should not be confused with the objects provided to application programs through the
Win32 API, the POSIX API, or the OS/2 API. In some cases, servers directly supply
executive objects to their client applications. In addition, a server can construct a new
type of object, for the clients, based on one or more of the primitive ones. Processes,
threads and access tokens are further described in section 5, because these are key com-
ponents in the security system.