security n.
Skip this Video
Loading SlideShow in 5 Seconds..
Security PowerPoint Presentation
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 8

Security - PowerPoint PPT Presentation

  • Uploaded on

Security. 參考資料 : ms-help://MS.MSDNQTR.2004JAN.1033/security/security/access_control.htm. Introduction. Access control who can access resources in OS the access control functions are called to set 誰能夠存取或操控應用程式提供的 resource windows objects 的存取控制.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Security' - teness

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript




  • Access control
    • who can access resources in OS
    • the access control functions are called to set
      • 誰能夠存取或操控應用程式提供的 resource
  • windows objects 的存取控制

WindowsMe/98/95:Access control is not supported.

Files 和

Administrative functions (設定 system time).

c2 level security control access protection
C2-level Security (Control Access Protection)
  • U.S. Department of Defense 定義的需求
    • 必須要能同意或拒絕個人或群組控制 resource 的存取權限
    • 當 process 釋放後, Memory 的內容應該不能被讀出來
      • a security file system: protect deleted files from being read
    • Users must identify themselves in a unique manner when they log on
    • 系統管理員 可以調閱 security events (反之亦然)
    • 系統應該被保護起來 (不受外界干擾,或竄改)
      • 正在執行的系統不能被更改
      • System files 亦不能被更改

WindowsMe/98/95:不支援 C2 Security.

access control components access control model
Access Control ComponentsAccess Control Model
  • 基本的 access control 元件
    • Access Token: 包含 logged-on user 的資訊
    • Security descriptors: 包含可受保護元件的 security 資訊

WindowsMe/98/95:不支援 Access Control.

系統利用 access control 判斷該 user

是否可以存取 securable object

User name

Passwd 驗證


系統建立 一個

Access control 元件

對應到目前 user

Access control 元件在Windows的使用.


包含了建造者的 security information

系統 assign 一個 security descriptor 給他

當建立一個 securable object,

  • A security descriptor
    • identifies the object's owner
    • 包含了下面的存取控制串列
      • DACL (Discretionary access control list)
        • 定義哪些 user 或 group 可以存取該物件
      • SACL (System access control list)
        • 內涵 ACEs(access control entries) 描述會產生 audit report 的存取企圖並且指定系統如何產生 audit(查核) message
access tokens access control components
Access TokensAccess Control Components
  • the security context of a process or thread
  • Information about
    • the identity and privileges of the user account associated with the process or thread
  • 如何產生:
    • 當使用者 logon 時, 系統檢查使用者輸入的 password 與 security database 中是否一樣.如果通過驗證,則系統指派一個 access token 給這個 user.
  • 用途:
    • 當一個 thread 企圖與一個 securable object 交互作用或者要執行某個需要特權(privileges) system 工作時, 就會使用 access token 來標明使用者
access tokens access control components1
Access TokensAccess Control Components
  • Access Token 的內容
    • SID (Security Identifier): 一個唯一的值用來標明一個 trustee.
      • 每次 user 通過 logon 後, 系統由 security database 將 該user account 的 SID 放到該名user 的 access token 中.
      • 將來 user 與 Windows 系統互動都使用 SID 來代替這位 user
    • SID 的用途
      • 在 security descriptors 中用來表示 object 的 owner 與 primary group 使用
      • 在 access control list 中, 用來表示那些 trustee