A component of the Microsoft Windows NT executive running in kernel mode that acts like a security watchdog, enforcing security when applications try to access system resources.
The Security Reference Monitor decides whether a given process should be granted access rights to an object. It does this by comparing the access token attached to the process to the discretionary access control list (DACL) attached to the object that the process is trying to access.
It compares the security identifiers (SIDs) in the DACL entry by entry to the SIDs in the access token to see what level of access the process should be granted. If any of the DACL SIDs denies the request access, the process is denied access to the object. The Security Reference Monitor also ensures that auditing takes place if auditing is configured in the local security policy.