Some Basic Facts About Access Control

The follow are some basic facts about access control. The notes are taken from Keith Brown's book The .NET Developer's Guide to Windows Security.

Each object protected by the Windows discretionary access control system must have some state associated with it to track its security settings. This little bundle of state is often referred to as a "security descriptor." Logically, here's what that state must contain:

• Owner SID
• Group SID
• DACL: Discretionary Access Control List
• SACL: System Access Control List
• Control flags

The owner SID is the user that is always allowed to control the DACL of the object. This means that the owner can control who is allowed to use the object and in what ways. The owner SID can be a user or a group. The latter is a special case that occurs only with the local Administrators group. The operating system has traditionally set the default owner SID for administrators to be the Administrators local group. On Windows XP, the default policy has changed: Administrators have personal ownership of objects they create, just as normal users do. On Windows Server 2003, the default policy is what it has always been: Administrators are treated specially, and they share ownership of objects by default.

The group SID, also known as the "primary group," isn't used at all by Win32 applications. It's actually there to support UNIX applications that run in the optional POSIX subsystem.

The discretionary access control list (DACL) contains a list of permissions granted or denied to various users and groups. The reason it's called "discretionary" is that the owner of the object is always allowed to control its contents. Contrast this to the system access control list (SACL), over which the owner has no special control. In fact, usually the owner of an object isn't even allowed to read it. The SACL is designed for use by security officers, and it specifies what actions will be audited by the system.

Access Control Lists (ACL; rhymes with "cackle") are used in two ways in Windows security. One type of ACL is designed to gate access, and the other is designed to audit access. The DACL in a security descriptor is used to gate access whereas the SACL is used for auditing.

Finally, there are two control flags that arguably should be part of the DACL and SACL headers but instead are specified as part of the security descriptor.

• SE_DACL_PROTECTED
• SE_SACL_PROTECTED

These flags control the flow of inherited Access Control Entries (ACE)s in a hierarchical system.

Each record in an ACL is called an Access Control Entry, or ACE, and includes the SID of a single user or group along with a 32-bit access mask that specifies the permissions being granted, denied, or audited. Each entry also includes a set of flags used to determine how it participates in ACL inheritance, if at all.

When performing access checks, ACEs are evaluated in order, from top to bottom, until either all requested permissions are granted or one or more requested permissions are denied.