Security Reference Monitor (SRM)

Most important subsystem in the kernel.

Implements the security mechanisms that restrict which users can access different resources.

Every process running on the system gets an access token

• SRM manages the access token and defines the identity of the user associated with a process

Responsible for generating audit events whenever a user accesses a resource

• These audit events can be used to identify malicious behavior on a system and also to diagnose security misconfigurations.

Security Identifiers (SIDs) - binary structures representing users and groups

Local Security Authority Subsystem (LSASS)

• Converts user and group names to SIDs

• Runs inside a privileged process independent from any logged-in users

Security Descriptor Definition Language (SDDL)

• Format used to represent a SID as a string

• SDDL can represent the entire security descriptor of a resource

Output contains the SID in SDDL format

• S character - indicates that what follows is an SDDL SID

• Version of the SID structure in decimal, has a fixed value of 1

• The security authority. Authority 5 indicates the built-in NT authority

• Two relative identifiers (RIDs) in decimal. The RIDs (here 32 and 545) represent the NT authority group