Security descriptor

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Security descriptors are data structures of security information for securable Windows objects, that is objects that can be identified by a unique name. Security descriptors can be associated with any named objects, including files, folders, shares, registry keys, processes, threads, named pipes, services, job objects and other resources.[1]

Security descriptors contain discretionary access control lists (DACLs) that contain access control entries (ACEs) that grant and deny access to trustees such as users or groups. They also contain a system access control list (SACLs) that control auditing of object access.[2][3] ACEs may be explicitly applied to an object or inherited from a parent object. The order of ACEs in an ACL is important, with access denied ACEs appearing higher in the order than ACEs that grant access. Security descriptors also contain the object owner.

Mandatory Integrity Control is implemented through a new type of ACE on a security descriptor.[4]

Files and folder permissions can be edited by various tools including Windows Explorer, WMI, command line tools like Cacls, XCacls, ICacls, SubInACL,[5] the freeware Win32 console FILEACL,[6][7] the free software utility SetACL, and other utilities. To edit a security descriptor, a user needs WRITE_DAC permissions to the object,[8] a permission that is usually delegated by default to administrators and the object's owner.

Permissions in NTFS[edit]

NTFS uses a set of 14 (12 in older systems) permissions for files and folders that are in the form of ACL stored in security descriptors. The following table summarizes the system of permissions (in individual rows), which is obscured by using different names and abbreviations in various programs (see the icacls and cacls columns) as well as a number of levels of permission mappings, like generic access rights (columns GR, GE, GW, and GA in the table are for GENERIC_READ, GENERIC_EXECUTE, GENERIC_WRITE, and GENERIC_ALL, respectively), standard access rights and special permissions that all are mapped to the permissions for files and folders.[9][10][11]

winnt.h files folders GR GE GW GA BM icacls cacls
0x01 Read Data List Folder + + + + RD FILE_READ_DATA
0x80 Read Attributes + + + + RA FILE_READ_ATTRIBUTES
0x08 Read Extended Attributes + + + + REA FILE_READ_EA
0x20 Execute File Traverse Folder + + + X FILE_EXECUTE
0x20000 Read Permissions + + + + + RC READ_CONTROL
0x100000 Synchronize + + + + + S SYNCHRONIZE
0x02 Write Data Create Files + + + WD FILE_WRITE_DATA
0x04 Append Data Create Folders + + + AD FILE_APPEND_D
0x100 Write Attributes + + + WA FILE_WRITE_ATTRIBUTES
0x10 Write Extended Attributes + + + WEA FILE_WRITE_EA
0x10000 Delete + + DE DELETE
0x40000 Change Permissions + WDAC WRITE_DAC
0x80000 Take Ownership + WO WRITE_OWNER
0x40 Delete Subfolders and Files + DC FILE_DELETE_CHILD

See also[edit]


  1. ^ "Securable Objects". Microsoft. 2008-04-24. Retrieved 2008-07-16.
  2. ^ "What Are Security Descriptors and Access Control Lists?". Microsoft. Archived from the original on 2008-05-05. Retrieved 2008-07-16.
  3. ^ "DACLs and ACEs". Microsoft. 2008-04-24. Retrieved 2008-07-16.
  4. ^ What is the Windows Integrity Mechanism?
  5. ^ SubInACL home page
  6. ^ FILEACL home page Archived 2012-08-29 at the Wayback Machine
  7. ^ "FILEACL v3.0.1.6". Microsoft. 2004-03-23. Archived from the original on April 16, 2008. Retrieved 2008-07-25.
  8. ^ "ACCESS_MASK Data Type". Microsoft. 2008-04-24. Retrieved 2008-07-23.
  9. ^ "How Permissions Work". Microsoft. 2013-06-21. Retrieved 2017-11-24.
  10. ^ Richard Civil. "How IT works NTFS Permissions, Part 2". Microsoft. Retrieved 2017-11-24.
  11. ^ Richard Civil. "How IT works NTFS Permissions". Microsoft. Retrieved 2017-11-24.

External links[edit]