{
	"id": "a8f2a75e-585b-41ea-901e-c66402d2b8f6",
	"created_at": "2026-04-06T00:08:37.125599Z",
	"updated_at": "2026-04-10T03:21:28.850915Z",
	"deleted_at": null,
	"sha1_hash": "4b880dd1fe5e1c0c2794158060855200bff486d2",
	"title": "Security Subsystem Architecture",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49154,
	"plain_text": "Security Subsystem Architecture\r\nBy Archiveddocs\r\nArchived: 2026-04-05 18:46:47 UTC\r\nWindows 2000 includes a set of security components that make up the Windows security model. These\r\ncomponents ensure that applications cannot gain access to resources without authentication and authorization.\r\nComponents of the security subsystem run in the context of the Lsass.exe process, and include the following:\r\nLocal Security Authority\r\nNet Logon service\r\nSecurity Accounts Manager service\r\nLSA Server service\r\nSecure Sockets Layer\r\nKerberos v5 authentication protocol and NTLM authentication protocol\r\nThe security subsystem keeps track of the security policies and the accounts that are in effect on the computer\r\nsystem. In the case of a domain controller , which is a computer that has Active Directory installed, these policies\r\nand accounts are the ones that are in effect for the domain in which the domain controller is located. They are\r\nstored in Active Directory.\r\nThe Local Security Authority(LSA) is a protected subsystem that maintains the information about all aspects of\r\nlocal security on a system (collectively known as the local security policy and provides various services for\r\ntranslation between names and identifiers.\r\nIn general, the LSA performs the following functions:\r\nManages local security policy.\r\nProvides interactive user authentication services.\r\nGenerates tokens, which contain user and group information as well as information about the security\r\nprivileges for that user. After the initial logon process is complete, all users are identified by their security\r\nidentifier (SID) and the associated access tokens.\r\nManages the Audit policy and settings. When an audit alert is generated by the Security Reference Monitor,\r\nthe LSA is charged with writing that alert to the appropriate system log.\r\nThe local security policy identifies the following:\r\nThe domains that are trusted to authenticate logon attempts.\r\nhttps://technet.microsoft.com/library/cc961760.aspx\r\nPage 1 of 3\n\nWho can have access to the system and in what way (for example, interactively, over the network, or as a\r\nservice).\r\nWho is assigned privileges.\r\nWhat security auditing is to be performed.\r\nDefault memory quotas (paged and nonpaged memory pool usage).\r\nFigure 2.2 shows a local perspective of Active Directory within the LSA security subsystem (Lsass.exe). The LSA\r\nsecurity subsystem provides services to both the kernel mode and the user mode for validating access to objects,\r\nchecking user privileges, and generating audit messages.\r\nCc961760.DSBG02(en-us,TechNet.10).gif\r\nFigure 2.2 Active Directory Within the Local Security Authority (Lsass.exe)\r\nThe LSA has the following components:\r\nNetlogon.dll . The Net Logon service. Net Logon maintains the computer's secure channel to a domain controller.\r\nIt passes the user's credentials through a secure channel to the domain controller and returns the domain security\r\nidentifiers and user rights for the user. In Windows 2000, the Net Logon service uses DNS to resolve names to the\r\nInternet Protocol (IP) addresses of domain controllers. Net Logon is the replication protocol for Microsoft®\r\nWindows NT® version 4.0 primary domain controllers and backup domain controllers.\r\nMsv1_0.dll . The NTLM authentication protocol. This protocol authenticates clients that do not use Kerberos\r\nauthentication.\r\nSchannel.dll . The Secure Sockets Layer (SSL) authentication protocol. This protocol provides authentication over\r\nan encrypted channel instead of a less-secure clear channel.\r\nKerberos.dll . The Kerberos v5 authentication protocol.\r\nKdcsvc.dll . The Kerberos Key Distribution Center (KDC) service, which is responsible for granting ticket-granting tickets to clients.\r\nLsasrv.dll . The LSA server service, which enforces security policies.\r\nSamsrv.dll . The Security Accounts Manager (SAM), which stores local security accounts, enforces locally stored\r\npolicies, and supports APIs.\r\nNtdsa.dll . The directory service module, which supports the Windows 2000 replication protocol and Lightweight\r\nDirectory Access Protocol (LDAP), and manages partitions of data.\r\nSecur32.dll . The multiple authentication provider that holds all of the components together.\r\nFor more information about the LSA and its components, see \"Authentication\" in this book. For more information\r\nabout access control, see \"Access Control\" in this book.\r\nhttps://technet.microsoft.com/library/cc961760.aspx\r\nPage 2 of 3\n\nSource: https://technet.microsoft.com/library/cc961760.aspx\r\nhttps://technet.microsoft.com/library/cc961760.aspx\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://technet.microsoft.com/library/cc961760.aspx"
	],
	"report_names": [
		"cc961760.aspx"
	],
	"threat_actors": [],
	"ts_created_at": 1775434117,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4b880dd1fe5e1c0c2794158060855200bff486d2.pdf",
		"text": "https://archive.orkl.eu/4b880dd1fe5e1c0c2794158060855200bff486d2.txt",
		"img": "https://archive.orkl.eu/4b880dd1fe5e1c0c2794158060855200bff486d2.jpg"
	}
}