All Terrain Thinking

A Compendium of things I think are Important

Generally Speaking, Think on this...

Who's Who?

I also spent time reflecting on the evolution of something computer security experts frequently call "identities", and operating system authors often refer to as "accounts" or "roles".

You see, back when computers were new, we carved our own keyboards out of wood. It could take weeks to catch and properly train a new mouse. Glowing coal-fired monitors warmed even as they informed.

And all data was public.

In those distant days, if it was stored on your computer, anyone could view or change it. Your entire digital data storehouse could be accessed by anyone who sat in front of your machine, operated its keyboard without getting splinters, or manipulated your mouse without being bitten.

Today, those olden times seem quaint, even naive. As the years have rolled by, as each new version of Windows and other software was been released, computers have become more and more protective of the data they store.

First, many computers required user names and passwords to be entered before responding to requests. This limited the number of people who could access a computer's data to those who knew, or could guess, the necessary credentials.

Still, once granted, data access was unlimited. Any information stored on the computer could be viewed, and even modified, by anyone possessing the two nuggets of information needed to "log in".

Yours, Mine ...

But few users needed the ability to modify all of the 1s and 0s on their computer's disks. If the ability to change, or even view, particular bits could be limited to those with a legitimate reason for such privileges, data could live safer, longer, more secure lives.

That's why computer experts came up with the idea of file and folder "ownership".

Under this scheme, each file stored on a computer's disk is owned by an "entity". A file's owner controls the file's fate. He, she (or "it", as we'll see in a moment) determines whether the file can be modified by other entities, only viewed by those non-owners, or is kept completely away from others' prying eyes, mice and keyboards.

Nowadays folders have owners too. Some folders are like single-family homes in the suburbs. The owner of a folder owns all the folder's contents -- both files and other folders.

But other folders are like big-city apartments or condominiums. The owner of this folder is like a landlord, someone who owns just the building, err folder. Meanwhile, a variety of tenants possess the folder's contents -- its sub-folders and files.

So, who, or what, are these "entities" that own our computer's data? In nerd-speak, they are the security identities, and operating system accounts and roles, we talked about a while ago.

But in the real world, they are often just people like you and me -- those among us able to access a particular computer by entering a valid user name and password.

Suppose you log in to a computer, then create a word processing document, spreadsheet, or other common file. Unless someone, or something, intervenes, you'll own the file where that information is stored. Its future will be entirely in your hands.

If I log in and create a new folder, that container will probably be mine. I'll control what files and other folders it will hold, who can create those folder-dwellers, who can view the list of files and folders my folder contains, and more.

But not all folder- and file-owning entities are made of flesh and blood. As Windows and other operating systems evolved, ownership relationships became more complex. Along the way, invisible, non-corporeal owners arrived. In some ways, these can be thought of as our computer designers' imaginary friends.

These ethereal owners have names like SYSTEM, NETWORK SERVICE, and LOCAL SERVICE. As you've probably guessed, SYSTEM is actually your computer's operating system -- a mysterious character named Windows. When Windows wants tight control over something, it gives it to itself, making SYSTEM the owner.

In acts of self-inflicted schizophrenia, Windows also creates some alter- identities. For security reasons, each has some, but not all, of the power and privilege of SYSTEM.

For example, when performing tasks on behalf of other computers connected to ours via a network, Windows may adopt the identity "NETWORK SERVICE" (or sometimes, just NETWORK). Through this alias, Windows owns -- and controls -- files, folders, devices, and other items needed to carry out your computer's social responsibilities.

Another Windows alter-ego is "LOCAL SERVICE" (or just LOCAL). As you've guessed, it's something of a mirror image of NETWORK. Rather than dealing with outsiders, LOCAL deals with activities entirely confined to your local computer.

.. and Ours

And then there are "groups". You can think of a group as a sort of club. To join one of these clubs you must already be an entity that can own files, folders or other items controlled by the computer.

After that, some memberships are automatic. For example, every entity that can access a computer belongs to a group called "Everyone". And people who can log onto a particular computer are members of a group called "Users".

Other clubs are more exclusive. For example, to join a group called "Administrators", you must get the approval of an existing member of that group. This powerful cabal also decides who can join other exclusive groups such as "Backup Operators" (entities that can backup and restore computer data), and "Guests" (users with very limited access to the computer).

And then there are temporary groups, such as "TrustedInstaller". Most of the time this group is empty, its clubhouse forlorn and neglected. But when you or I install software, the installation program that we run temporarily becomes a member of this group. This affiliation allows it to carry out certain tasks that only trusted installers are allowed to perform.

What is the benefit of club, err group, membership? It's pretty simple. Anything the group owns, you own, if you're a member. Anything the group controls, its members control too.

Groups also provide an easy way to grant certain privileges and responsibilities to several users at once, and to quickly make uniform changes to those settings in the future.

Prior | Tell us what you think | Next

Add to Your Social Bookmarks: Del.icio.us Digg Furl Reddit Simpy Spurl Y! MyWeb - StumbleUpon