Security principals
What are security principals?
Last updated
What are security principals?
Last updated
A security principal is any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the of a user or computer account, or the security groups for these accounts.
Every security principal is uniquely identified by a Security Identifier (SID), which the system uses rather than relying on usernames, ensuring security and integrity even if names change.
A security principal is basis of the Windows Security Model ,the Windows Security Model is built on the concept of Identity, Authentication, and Authorization to control access to system resources :
πΉ A Security Principal is any entity that has an identity and can be authenticated.
πΉ The process of verifying the identity of a security principal. πΉ Uses passwords, smart cards, biometrics, or Kerberos/NTLM protocols. πΉ Once authenticated, the system creates an Access Token that contains:
The userβs SID
Group memberships
Privileges assigned to the user
π‘ Example: When you log in to Windows, you provide a password. If it matches, Windows creates an access token for your session.
πΉ Once authenticated, the system checks if the security principal has permission to access a resource. πΉ Uses Access Control Lists (ACLs) stored in each objectβs security descriptor. πΉ ACLs contain Access Control Entries (ACEs) that define:
Who can Read, Write, Execute, or Modify a file, folder, or system resource.
π‘ Example: If Alice tries to open Secret.txt, Windows checks the ACL. If Alice is listed with "Read" permission, she can open it.
What It Is:
A User Principal represents an individual human user who interacts with a system or resources.
This could be a person logging into a computer, accessing files, running applications, or managing server resources.
Key Characteristics:
Authentication: The user is authenticated using credentials such as a username and password, biometrics, or multi-factor authentication (MFA).
Identity: Each user has a unique identifier, often called a Security Identifier (SID) in Windows or a User ID (UID) in Linux.
Permissions: The userβs permissions determine what resources they can access and what actions they can perform.
Security Context: When a user logs in, their security context is created, which includes:
Their identity (e.g., SID or UID).
Group memberships (if applicable).
Privileges (special rights granted to the user).
Integrity levels (in systems like Windows).
What It Is:
A Group Principal represents a collection of users. Instead of assigning permissions to individual users, permissions are assigned to the group, and all members of the group inherit those permissions.
Key Characteristics:
Simplified Management: Groups make it easier to manage access for multiple users at once.
Types of Groups:
Security Groups: Used for granting access to resources.
Distribution Groups: Primarily used for communication (e.g., email lists), but not typically for security purposes.
Dynamic Groups: Membership can be automatically determined based on attributes like department, location, or job role.
Inheritance: Users inherit the permissions of the groups they belong to. This is reflected in their security context .
What It Is:
A Service Principal represents a non-human identity, such as an application, service, or automation tool. It allows these entities to authenticate and interact with the system without requiring a human user.
Key Characteristics:
Authentication: Service principals authenticate using mechanisms like API keys, certificates, or client secrets.
Unique Identity: Each service principal has its own unique identifier, just like a user.
Role Assignments: Service principals can be assigned roles or permissions, allowing them to perform specific tasks.
Automation-Friendly: They are ideal for scenarios where human intervention is not required, such as automated scripts, background services/