SACL
   HOME

TheInfoList



Click Here for Items Related To - SACL
OR:
SACL on:   [Wikipedia]   [Google]   [Amazon]

Security descriptors are data structures of security information for ''securable''
Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
objects Object may refer to: General meanings * Object (philosophy), a thing, being, or concept ** Object (abstract), an object which does not exist at any particular time or place ** Physical object, an identifiable collection of matter * Goal, an ...
, that is objects that can be identified by a unique name. Security descriptors can be associated with any named objects, including files, folders, shares,
registry Registry may refer to: Computing * Container registry, an operating-system-level virtualization registry * Domain name registry, a database of top-level internet domain names * Local Internet registry * Metadata registry, information system for re ...
keys, processes, threads, named pipes, services, job objects and other resources. Security descriptors contain discretionary access control lists (DACLs) that contain access control entries (ACEs) that grant and deny access to trustees such as users or groups. They also contain a system access control list (SACLs) that control auditing of object access. ACEs may be explicitly applied to an object or inherited from a parent object. The order of ACEs in an ACL is important, with access denied ACEs appearing higher in the order than ACEs that grant access. Security descriptors also contain the object owner. Mandatory Integrity Control is implemented through a new type of ACE on a security descriptor. Files and folder permissions can be edited by various tools including
Windows Explorer File Explorer, previously known as Windows Explorer, is a file manager application that is included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user interface for accessing the file ...
, WMI, command line tools like Cacls, XCacls,
ICacls In Microsoft Windows, cacls and its replacement, icacls, native command-line utilities capable of displaying and modifying the security descriptors on folders and files. An access-control list is a list of permissions for securable object, suc ...
, SubInACL, the
freeware Freeware is software, most often proprietary, that is distributed at no monetary cost to the end user. There is no agreed-upon set of rights, license, or EULA that defines ''freeware'' unambiguously; every publisher defines its own rules for the f ...
Win32 console FILEACL, the
free software Free software or libre software is computer software distributed under terms that allow users to run the software for any purpose as well as to study, change, and distribute it and any adapted versions. Free software is a matter of liberty, no ...
utility As a topic of economics, utility is used to model worth or value. Its usage has evolved significantly over time. The term was introduced initially as a measure of pleasure or happiness as part of the theory of utilitarianism by moral philosopher ...
SetACL, and other utilities. To edit a security descriptor, a user needs WRITE_DAC permissions to the object, a permission that is usually delegated by default to administrators and the object's owner.


Permissions in NTFS

The following table summarizes NTFS permissions and their roles (in individual rows.) The table exposes the following information: * Permission code: Each access control entry (ACE) specifies its permission with binary code. There are 14 codes (12 in older systems.) * Meaning: Each permission code has a meaning, depending on whether it is applied to a file or a folder. For example, code 0x01 on file indicates the permission to read the file, while on a folder indicates the permission to list the content of the folder. Knowing the meaning alone, however, is useless. An ACE must also specify to whom the permission applies, and whether that permission is granted or denied. * Included in: In addition to individual permissions, an ACE can specify special permissions known as "generic access rights." These special permissions are equivalents of a number individual permissions. For example, GENERIC_READ (or GR) is the equivalent of "Read data", "Read attributes", "Read extended attributes", "Read permissions", and "Synchronize". Because it makes sense to ask for these five at the same time, requesting "GENERIC_READ" is more convenient. * Alias: The two Windows command-line utilities (
icacls In Microsoft Windows, cacls and its replacement, icacls, native command-line utilities capable of displaying and modifying the security descriptors on folders and files. An access-control list is a list of permissions for securable object, suc ...
and cacls) have their own aliases for these permissions. Most of these permissions are self-explanatory, except the following: # Renaming a file requires the "Delete" permission. # File Explorer doesn't show "Synchronize" and always sets it. Multi-threaded apps like File Explorer and Windows Command Prompt need the "Synchronize" permission to be able to work with files and folders.


Footnotes


See also

* *
Information technology security audit An information security audit is an audit on the level of information security in an organization. It is an independent review and examination of system records, activities and related documents. These audits are intended to improve the level of in ...
* Authorization *
Computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
*
Information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
*
Token (Windows NT architecture) In computer systems, an access token contains the security credentials for a login session and identifies the user, the user's groups, the user's privileges, and, in some cases, a particular application. In some instances, one may be asked to ente ...
* Windows SID *
SDDL Security Descriptor Definition Language (SDDL) defines the string format that is used to describe a security descriptor as a text string.{{cite web , last1=Chen , first1=Raymond , title=Renaming a file is a multi-step process, only one of which is changing the name of the file , url=https://devblogs.microsoft.com/oldnewthing/20211022-00/?p=105822 , website=The Old New Thing , publisher=
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
, date=22 October 2021 , quote=Opening with DELETE permission grants permission to rename the file. The required permission is DELETE because the old name is being deleted.


External links


CACLS command description on SS64.com

SetACL SourceForge page
Operating system security Windows NT architecture Windows components Microsoft Windows security technology