c0nceptat_private wrote: > > The component of the NT executive responsible for enforcing ACLs and DACLs is know as the Security Reference Monitor. When a kernel resource is requested, the requested program specifies the type of access it desires. The SRM checks against the access list, and grants the requestor a HANDLE to the object if requestor has appropriate rights. > The check against the ACL only occurs when the HANDLE is first opened, however. If a HANDLE is opened and permissions on the objecect subsiquently change, the original requestor of the object retains the original access-permissions. Therefore, if is possible to retain access to an object after the Create/Owner or an administrator has changed the ACL simply by maintaining an open handle. If the requestor is a service or server-program that is expected to run 24/7 the object will remain accessible long after the ACL has been altered [thing ISAPI,extended stored procedures, et al]. > I believe this is documented, though perhaps in a different context. If you, as a domain admin, have given someone a right, or group membership, etc... and they log in with that... they hang onto it for the entire time they are logged in. It becomes part of the "security token". You can yank the right, but they hang onto it until they logout, or you do a forced logout. This is from the MS certification classes. I think the same applies in your example. There's probably a way to force the handle to go away, then they'd have no rights. Of course, the program using the handle would probably fall over dead, too... BB
This archive was generated by hypermail 2b30 : Wed Aug 29 2001 - 22:07:51 PDT