Improving the granularity of access control for Windows 2000

Abstract

This article presents the mechanisms in Windows 2000 that enable fine-grained and centrally managed access control for both operating system components and applications. These features were added during the transition from Windows NT 4.0 to support the Active Directory, a new feature in Windows 2000, and to protect computers connected to the Internet. While the access control mechanisms in Windows NT are suitable for file systems and applications with simple requirements, they fall short of the needs of applications with complex data objects. Our goal was to use operating system access control mechanisms to protect a large object hierarchy with many types of objects, each with many data properties. We also wanted to reduce the exposure of users to untrustworthy or exploited programs.We introduced three extensions to support these goals. First, we extended the entries in access control lists to provide an unlimited number of access rights for a single object and to allow grouping those rights for efficiency. Second, we extended the entries to specify precisely how access control lists are assigned to each distinct type of object, instead of treating all types identically. Finally, we extended the data structure identifying users' identity to the operating system to allow users to restrict the set of objects a program may access. These changes allow a single access control mechanism to be used to protect both system and application resources, as well as protect users from each other and users from their programs, simplifying both program development and system management.