Access Control Model

The security systems in Windows 2000 are based on technologies originally developed for Windows NT. Both operating systems control access to resources in fundamentally the same way. If you are familiar with Windows NT 4.0 or earlier versions of Windows NT, you know that its access control model has the following characteristics:

User-based authorization    In Windows NT, every application that you start runs in your security context, not in its own security context. The application can do only what you are authorized to do. For example, when you use Microsoft Word, it can access only documents that you are authorized to access. When another user uses Word, it can access only documents that the other user is authorized to access. In Windows 2000, this aspect of the access control model is significantly enhanced. Applications can be designed to run in restricted security contexts, giving them fewer privileges and more limited access than their users.

Discretionary access to securable objects    In Windows NT, the user who owns an object can control who has permission to use it and in what way. An object's owner can give permission for different kinds of access to particular users or groups of users. For example, the owner of a file object can give read and write permission to all members of a group while denying write access to a particular member of the group. In Windows 2000, owners can allow or deny other users access to individual properties of certain types of objects as well as to the entire object.

Inheritance of permissions    In Windows NT, you can control permissions for new objects created in a container object by setting inheritable permissions on the container. For example, the permissions that you set on an NTFS folder are inherited by new subfolders and files created within the folder. In Windows 2000, the permissions that you set on a container are inherited by existing objects in the container as well as newly created objects.

Administrative privileges    In Windows NT, you can control which users or groups have the right to perform various administrative functions or to take any action that affects systemwide resources. For example, an administrator can give one group of users the right to log on interactively, and give a more select group of users the right to load and unload device drivers. In Windows 2000, you can centrally manage administrative privileges on all computers joined to a domain by using Group Policy.

Auditing of system events    In Windows NT, you can use the auditing feature to detect attempts to circumvent protections on resources or to create an audit trail of administrative actions on the system. For example, you can set security policy so that failed logon attempts are recorded in the security event log. If another administrator changes the auditing policy so that failed logon attempts are no longer audited, the log shows this event too. In Windows 2000, you can use Group Policy to centrally who is allowed to manage security logs on computers joined to a domain.