Today, I'm not writing anything new. Instead, I'm referring you to the series of articles by Ruediger Asche starting with Windows NT Security in Theory and Practice. These articles are quite old but the principles are still sound. Just bear in mind that the newer stuff won't be covered.