General description

From a modeling perspective, the difference between a server (more specifically, a host running network services) and a workstation is relatively small. The main difference is that a server is hosting services (Applications) that can be connected to from the local network or from other parts of the architecture if the routing and firewall rules allow it.

Therefore, the model representation of a server will use the model of a workstation as baseline and then we will add a service to it.

Simplified version

The simplified version consist of an operating system, a client application with network access and a user like with the workstation model described earlier. Furthermore, an additional Application object is added as a child application to the operating system Application.

The Application shall also be connected to an Identity object representing the user account under which the Application is executing, in other words, the user owning the service process. In most cases, and the recommended configuration, is to let services run under a separate service account instead of the Administrator account.


Simplified model of a server hosting a service application.

Like with the workstation example described earlier, vulnerabilities representing one unknown vulnerability for the network client and one for the operating system still applies. However, an additional vulnerability object has been added for the potential presence of an unknown vulnerability of the service application. The defense parameters are as follows.

Unknown service vulnerability

Defense parameterValue

Detailed version

Like with the simplified model of the server described above, the detailed model of the server is also based on the detailed workstation model.

Therefore, all aspects, and descriptions, of the detailed workstation model also applies to the detailed server model as well.

Application access levels

The simplified server model only included one additional service-related Identity; the Service Account.

In a more detailed version, we also want to add the aspect of the service (possibly) holding a local set of user identities that only applies to the service itself. This can represent accounts such as for instance user profiles in a web application.

The "Service Account" is the operating system account under which the service is running. The Application User Account and the Application Admin Account are the application-local accounts. The connection types are shown below.


Identities and their connections related to the Service Application.

Application storage

Depending on which Identity a user possess (or an Attacker manage to impersonate), parts of or the entire storage of a system is accessible. This applies to the operating system as well as to the users and data sets defined within the reign of an Application. Therefore, we can distinguish between user-accessible application data (such as a user's messages and files) and admin-accessible application data (such as the configuration of the application).


User Data and Application Configuration.


In order to re-use this server model, it is recommended to save it as a separate model and then use "Import Model" to add it to a different model where the rest of the architecture is going to be modeled.

The final model of the server is shown below.


The detailed server model.

Connecting the Server sub-model to a main model is done by connecting the Application object representing network-software to a Network using the ClientAccess type of connection. In addition to this the Application representing the modeled service shall also be connected to every network where it is accessible. Use the NetworkExposure connection.


The Client is connected to the Office LAN via ClientAccess and the Service is connected via NetworkExposure.