Access Control

The security provisions of Microsoft® Windows NT® are automatically available to Win32-based applications. Every application running on the system is subject to the security imposed by the particular configuration of the local Windows NT implementation. Windows NT is the only platform that supports Win32 security.

The impact of Windows NT security on most Win32 functions is minimal, and a Win32-based application not requiring security functionality usually does not need to incorporate any special code. However, you can use the security features of Windows NT to provide a number of services to a Win32-based application.

This overview describes the Windows NT security model for controlling access to Win32 objects such as files, and for controlling access to administrative functions such as setting the system time or auditing user actions. The Access-Control Model topic provides a high-level description of the access control components and how they interact with each other. Following this description are topics that discuss the access-control components:

• Access Tokens
• Security Descriptors
• Access-Control Lists (ACLs)
• Access-Control Entries (ACEs)
• Access Rights and Access Masks
• Security Identifiers (SIDs)

The following topics discuss common access-control tasks:

• Modifying an Object's Security Descriptor
• Checking a Thread's Access to an Object
• Controlling Child Object Creation
• Controlling Access to an Object's Properties
• Requesting Access Rights to an Object

The following topics provide sample code for access-control tasks:

• Modifying an Object's ACLs
• Creating a Security Descriptor for a New Object
• Enabling and Disabling Privileges
• Searching for a SID in an Access Token
• Taking Object Ownership
• Converting a Binary SID to String Format