Some Basic Facts About Access Control
The follow are some basic facts about access control. The notes are taken from Keith Brown's book The .NET Developer's Guide to Windows Security.
Each object protected by the Windows discretionary access control system must have some state associated with it to track its security settings. This little bundle of state is often referred to as a "security descriptor." Logically, here's what that state must contain:
- Owner SID
- Group SID
- DACL: Discretionary Access Control List
- SACL: System Access Control List
- Control flags
The owner SID is the user that is always allowed to control the DACL of the object. This means that the owner can control who is allowed to use the object and in what ways. The owner SID can be a user or a group. The latter is a special case that occurs only with the local Administrators group. The operating system has traditionally set the default owner SID for administrators to be the Administrators local group. On Windows XP, the default policy has changed: Administrators have personal ownership of objects they create, just as normal users do. On Windows Server 2003, the default policy is what it has always been: Administrators are treated specially, and they share ownership of objects by default.
The group SID, also known as the "primary group," isn't used at all by Win32 applications. It's actually there to support UNIX applications that run in the optional POSIX subsystem.
The discretionary access control list (DACL) contains a list of permissions granted or denied to various users and groups. The reason it's called "discretionary" is that the owner of the object is always allowed to control its contents. Contrast this to the system access control list (SACL), over which the owner has no special control. In fact, usually the owner of an object isn't even allowed to read it. The SACL is designed for use by security officers, and it specifies what actions will be audited by the system.
Access Control Lists (ACL; rhymes with "cackle") are used in two ways in Windows security. One type of ACL is designed to gate access, and the other is designed to audit access. The DACL in a security descriptor is used to gate access whereas the SACL is used for auditing.
Finally, there are two control flags that arguably should be part of the DACL and SACL headers but instead are specified as part of the security descriptor.
- SE_DACL_PROTECTED
- SE_SACL_PROTECTED
These flags control the flow of inherited Access Control Entries (ACE)s in a hierarchical system.
Each record in an ACL is called an Access Control Entry, or ACE, and includes the SID of a single user or group along with a 32-bit access mask that specifies the permissions being granted, denied, or audited. Each entry also includes a set of flags used to determine how it participates in ACL inheritance, if at all.
When performing access checks, ACEs are evaluated in order, from top to bottom, until either all requested permissions are granted or one or more requested permissions are denied.
3 Comments:
louis vuitton outlet, ugg boots, ray ban sunglasses, oakley sunglasses, louis vuitton outlet, longchamp pas cher, prada outlet, polo ralph lauren outlet, nike outlet, chanel handbags, louboutin outlet, longchamp outlet, louis vuitton, nike air max, cheap oakley sunglasses, longchamp outlet, jordan shoes, louis vuitton, nike free, tiffany and co, tory burch outlet, prada handbags, replica watches, nike roshe run, longchamp, louboutin, air max, ralph lauren pas cher, christian louboutin outlet, replica watches, louis vuitton, nike air max, kate spade outlet, louboutin pas cher, nike free, oakley sunglasses, sac longchamp, oakley sunglasses, polo ralph lauren outlet, louboutin shoes, uggs on sale, ray ban sunglasses, ray ban sunglasses, burberry, gucci outlet, oakley sunglasses, tiffany jewelry, ugg boots, air jordan pas cher, michael kors
mont blanc, nike air max, babyliss, mcm handbags, louboutin, herve leger, ghd, hollister, celine handbags, lancel, new balance, nike trainers, valentino shoes, nfl jerseys, reebok shoes, soccer shoes, oakley, vans shoes, p90x workout, soccer jerseys, nike huarache, converse outlet, nike roshe, abercrombie and fitch, bottega veneta, north face outlet, beats by dre, birkin bag, instyler, gucci, mac cosmetics, chi flat iron, ferragamo shoes, insanity workout, ralph lauren, nike air max, jimmy choo shoes, longchamp, wedding dresses, asics running shoes, vans, hollister, timberland boots, iphone cases, baseball bats, hollister, giuseppe zanotti, north face outlet, ray ban, lululemon
montre pas cher, moncler outlet, moncler, karen millen, moncler, supra shoes, ugg pas cher, wedding dresses, swarovski, moncler, sac louis vuitton pas cher, doudoune canada goose, moncler, louis vuitton, pandora charms, canada goose, ugg,uggs,uggs canada, swarovski crystal, marc jacobs, hollister, moncler, toms shoes, louis vuitton, ugg boots uk, louis vuitton, canada goose uk, coach outlet, louis vuitton, moncler, canada goose, pandora charms, links of london, moncler, canada goose, canada goose outlet, pandora jewelry, juicy couture outlet, canada goose, thomas sabo, juicy couture outlet, pandora jewelry, bottes ugg, canada goose outlet, ugg,ugg australia,ugg italia, replica watches
Post a Comment
<< Home