nt-part2_16
Analysis of the Security of Windows NT
1 March 1999
16
3.6 Users and groups
In NT, a person that needs access to objects on a computer must have a valid user
account. In addition, to access a specific object, the user has to have access rights on it.
Every user account contains information such as: username, password, full name,
logon hours, logon workstations, expiration date, home directory, logon script, profile
and account type. Some of these need to be further explained. Full name is the users
full name, for example Hans full name is Hans Hedbom. The logon hours specify for
how long a user is allowed to gain access to the system. The set of computers, from
which a user can log on to the system is given by logon workstations. The expiration
date field is the date when the account automatically becomes disabled. The profile is a
file containing information about the users Desktop environment (i.e. program groups
and colors), that follows the user from one workstation to another. Finally, the account
type is in most cases user accounts.
By default there are two accounts: Administrator and Guest. Within the Administrator
account, new accounts can be created. To add new user accounts, the User Manager
tool is used. This is a standard tool, distributed and installed together with the OS.
NT supports the concept of groups, similar to those of UNIX. Microsoft [40] are of the
opinion that NT groups are more powerful than groups in UNIX. With groups, permis-
sions can be granted to a set of related users, which makes the procedure of granting
TABLE 3. Executive objects
Object type
Description
Process
An instance of a running program, including the address space and
resources.
Thread
An executable unit within a process.
Section
A region of shared memory.
File
An instance of a file or an I/O device.
Port
A destination for messages sent by one thread in a process to another
thread in another process.
Access token
An identification containing information about a logged-on user.
Event
A notification that a system event has occurred.
Event pair
A notification that a dedicated application thread has copied a message to
the Win32 server.
Semaphore
A counter that regulates the number of threads that can simultaneously use
a resource.
Mutant
A mechanism that gives mutual exclusion capabilities.
Timer
A counter that records the passage of time.
Object direc-
tory
A memory-based repository for object names.
Symbolic link
A mechanism for indirect reference to an object (view also symbolic links
in UNIX).
Profile
A mechanism used for performance tuning.
Key
An index for referring to records in the configuration database.