In military and other high-security computer systems, a policy of mandatory access controls is used. The goal in these systems is to restrict the dissemination of information. Objects in these systems (such as files) are assigned security labels that restrict who is allowed to access them. A label contains the required clearance level, which often ranges from unclassified to classified, secret, top secret and so forth.¹ Users of the system are assigned clearance levels. A user with a clearance level of classified may read documents that are classified or unclassified, but may not read documents more restricted, such as secret or top secret. This same user may actually create documents that are secret or top secret, which creates an interesting situation — a user can create documents she can’t subsequently read.

As you can see, with mandatory access control the user doesn't have control over her own documents. The system mandates who can read and write everything. Once again, remember the goal: Limit the dissemination of information. Figure 40.1 shows how the information is organized from a security perspective. It's easy for information to flow inward, where access is more restricted, but information flow is tightly restricted the other way. To demote information from secret to classified, for example, requires special privilege.

Figure 40.1 Mandatory access control puts perimeters around information.

Commercial operating systems like UNIX and Windows take a totally different approach, using discretionary access control. This puts control of an object into the hands of the person who creates it. For example, if Alice creates a file on a Windows server, she becomes the owner of that new file. The owner SID is tracked as part of the security descriptor that the NTFS file system maintains for the file (WhatIsASecurityDescriptor). The owner is implicitly granted permission to read the security descriptor and change the DACL for the file, as I detail in WhatIsOwnership.

In layman's terms, discretionary access control means that each object has an owner and the owner of the object gets to choose its access control policy. There are loads of objects in Windows that use this security model, including printers, services, and file shares. All secure kernel objects also use this model, including processes, threads, memory sections, synchronization objects such as mutexes and events, and named pipes. Discretionary access control is so prevalent in Windows, understanding it is really important for anyone writing secure code for Windows. I encourage you to read WhatIsOwnership to learn how ownership works because, as a developer who likely runs as an administrator most of the time, you probably haven’t had to deal with it much yourself.

¹ Labels also compartmentalize data, to limit access to resources based on "need to know."

PortedBy ChrisTavares