Where Permissions Are Stored

By Author: Shirley Green
Total Articles: 129
Comment this article

The first version of the NTFS file system stored security descriptors with each file MCITP Certification and folder, and with each registry key. If a permission was changed on a folder, all files and folders below that folder inherited the permission change and each file and folder security descriptor was modified accordingly. Registry key security descriptors were managed the same way. The registry key contained its own security descriptor and if permissions changed on a parent key, the security descriptor of every child key also changed.
Windows 2000 NTFS changed that. In the Windows 2000 version of NTFS—and in Windows Server 2003 and Windows XP—security descriptors are stored in a special hidden object in the file system. Each file and folder, instead of including a security descriptor, contains only a pointer to the security descriptor. In addition, the file system now stores only unique security descriptors. That is, if a file has only the Allow Accountants Read permissions, a security descriptor is stored. If 10 files or 100 files have this same descriptor, ...
... still only one copy is stored. When a permission set is changed, the change is made only to the one security descriptor. Files and folders that inherit this change in setting do not receive the information that permissions have changed. However, when a user next attempts to access the free A+ practice exams file, the new security descriptor will be evaluated, and thus the new permissions will be applied. This new way of storing and managing permissions makes permission evaluation much more efficient.
Note Registry permissions, however, are stored as they were in Windows NT; security descriptors are stored with the registry key.
The basic access control process works like this:
1.The user or a process acting on behalf of the user attempts to access an object.
Access attempts can be things like "Open a file for reading and writing," "Query a registry key," or even "Reset a password."
2.The security reference monitor compares the SIDs contained in the access token to the SIDs in each ACE for the ACL.
3.If no matching SIDs are found, access is denied implicitly.
4.If a matching SID is found, the request is evaluated based on the contents of the ACE according to the following rules:
If the permission in the ACE matches some part of the request, the action of the ACE is evaluated free Security+ practice exams. Otherwise, access will be denied.
If the action is Deny, access is denied.
If the action is Allow, any other requested permissions must be processed.