To quote Wikipedia[0] ("Architecture of Windows NT"):
> While the x86 architecture supports four different privilege levels (numbered 0 to 3), only the two extreme privilege levels are used. Usermode programs are run with CPL 3, and the kernel runs with CPL 0. These two levels are often referred to as "ring 3" and "ring 0", respectively. Such a design decision had been done to achieve code portability to RISC platforms that only support two privilege levels, though this breaks compatibility with OS/2 applications that contain I/O privilege segments that attempt to directly access hardware.
Except MS has implemented software-based permission groups, which the person you're replying to pointed out. This really low level x86 stuff doesn't mean you can't have more granularity.
Windows has system, high, medium, low, and untrusted security levels that get mapped to security groups. A local admin is high, but not system, etc.
Indeed, but it isn't a "ring." A protection ring has a specific meaning and that meaning IS about "low level [CPU] stuff." For example the CPU can be made to support more than two rings, Windows NT and UNIX just only utilise two of them and then build software protections on top (OS/2 supported 3).
> While the x86 architecture supports four different privilege levels (numbered 0 to 3), only the two extreme privilege levels are used. Usermode programs are run with CPL 3, and the kernel runs with CPL 0. These two levels are often referred to as "ring 3" and "ring 0", respectively. Such a design decision had been done to achieve code portability to RISC platforms that only support two privilege levels, though this breaks compatibility with OS/2 applications that contain I/O privilege segments that attempt to directly access hardware.
[0] https://en.wikipedia.org/wiki/Architecture_of_Windows_NT#Ker...