Security Reference Monitor (SRM)
The Security Reference Monitor (SRM) is a core component of the Windows operating system responsible for enforcing the security policy of the system. It acts as the gatekeeper for all access control operations, ensuring that subjects (processes, threads) are granted or denied access to objects (files, registry keys, processes, etc.) based on the security descriptors associated with those objects and the privileges of the subjects.
Core Functions of the SRM
Access Checking
The primary function of the SRM is to perform access checks. When a subject requests access to an object, the SRM:
- Retrieves the security descriptor of the target object.
- Compares the requested access rights with the access control entries (ACEs) in the object's Discretionary Access Control List (DACL).
- Evaluates the user's security token, including its access control list (SACL) and privileges, to determine if access should be allowed or denied.
Security Auditing
The SRM plays a crucial role in system auditing. It logs security-relevant events, such as successful and failed access attempts, to the system's security event log. This provides a trail of system activity that can be used for security monitoring, incident response, and compliance purposes.
Object Security Descriptors
The SRM manages and enforces the security descriptors for system objects. A security descriptor contains information about the object's owner, primary group, Discretionary Access Control List (DACL), and System Access Control List (SACL).
Key Components and Concepts
Security Descriptors
A security descriptor is a data structure that defines the security properties of an object. It typically includes:
- Owner SID: The Security Identifier (SID) of the object's owner.
- Group SID: The SID of the object's primary group.
- DACL: The Discretionary Access Control List, which contains ACEs that specify which users or groups have what type of access to the object.
- SACL: The System Access Control List, which contains ACEs that specify auditing requirements for attempts to access the object.
Access Control Entries (ACEs)
ACEs are the individual entries within a DACL or SACL. Each ACE specifies:
- The type of ACE (Allow or Deny).
- The SID of the trustee (user or group) to which the ACE applies.
- The access mask, which defines the specific access rights granted or denied.
Security Tokens
A security token is an object that describes the security context of a process or thread. It contains information such as:
- The user's SID and group SIDs.
- The user's privileges.
- A list of SIDs that identify the owners of impersonation tokens.
- Mandatory integrity control information.
SRM Interaction with Other Kernel Components
The SRM does not operate in isolation. It interacts with various other kernel components:
- Local Security Authority (LSA): The LSA provides security policy information to the SRM and manages user authentication.
- Object Manager: The Object Manager is responsible for creating and managing kernel objects. When an object is created, the Object Manager works with the SRM to assign an initial security descriptor.
- Process Manager: The Process Manager creates and manages processes and threads. The SRM is involved in assigning security tokens to these entities.
Developer Guidance
Developers interacting with system security often utilize Win32 APIs that abstract SRM functionalities. Understanding the underlying principles can help in designing secure applications.
Key APIs include:
AccessCheckGetSecurityDescriptorControlSetSecurityDescriptorDaclOpenProcessToken