Windows Security

Security Principals

A security principal in Windows is an entity that can be authenticated by the operating system and assigned permissions and privileges.

  • User account

  • Computer account

  • Service Account

  • Thread or process running in the security context of an account

Security principals are subjects that request access to securable objects.

Security Identifier (SID)

Each security principal gets a unique & permanent SID generated by the OS.

SID is composed of:

  • Identifier Authority: Indicates the authority that issued the SID. Usually NT Authority

  • Relative ID (RID): Unique numerical value appended to the Identifier Authority

RID

Each user account in Windows has a Security Identifier (SID), and the RID is the last part of it. For the Administrator account, this is typically "500".

Securable Objects

A securable object is an object that can have a security descriptor:

  • File

  • Folder

  • Registry Key

  • ...

Securable objects are accessed by security principals.

Read more on securable objects, security descriptor & ACE in the Integrity Control Access Control List section.

Security Account Manager (SAM)

SAM is a database that stores local user account information, including hashed passwords.

SAM entries are stored in the Windows Registry under the path HKEY_LOCAL_MACHINE\SAM.

Local Security Authority (LSA)

LSA is the process responsible for managing authentication and generating access tokens for user sessions.

Tokens generated by LSA contain:

  • The SID

  • Other security information

The token is used to authorize every thread / process started by the user.

Read more on that in the Access Tokens section.

LSA is implemented as the system process lsass.exe (not a service because too critical)

Recap of LSA authentication & authorization flow

  • Local user submit credentials

  • LSA checks credentials against SAM database

  • If match is found, LSA generates an access token

  • Access token is used to assess the permissions as shown below:

Read more on that in the Access Tokens section.

AppLocker

AppLocker helps control which apps and files users can run.

It's basically a whitelisting/blacklisting application.

Local Group Policies & Privileges

Rules governing system behavior on a local machine, including security, software, and system settings.

Read more on tokens in the Security Policies & Privileges section.

PreviousMicrosoft Management Console (MMC)NextIntegrity Control Access Control List

Last updated