Security descriptor

Security descriptors are data structures of security information for securable Windows objects, that is objects that can be identified by a unique name. Security descriptors can be associated with any named objects, including files, folders, shares, registry keys, processes, threads, named pipes, services, job objects and other resources.[1]

Security descriptors contain discretionary access control lists (DACLs) that contain access control entries (ACEs) that grant and deny access to trustees such as users or groups. They also contain a system access control list (SACLs) that control auditing of object access.[2][3] ACEs may be explicitly applied to an object or inherited from a parent object. The order of ACEs in an ACL is important, with access denied ACEs appearing higher in the order than ACEs that grant access. Security descriptors also contain the object owner.

Mandatory Integrity Control is implemented through a new type of ACE on a security descriptor.[4]

Files and folder permissions can be edited by various tools including Windows Explorer, WMI, command line tools like Cacls, XCacls, ICacls, SubInACL,[5] the freeware Win32 console FILEACL,[6][7] the free software utility SetACL, and other utilities. To edit a security descriptor, a user needs WRITE_DAC permissions to the object,[8] a permission that is usually delegated by default to administrators and the object's owner.

Permissions in NTFS

The following table summarizes NTFS permissions and their roles (in individual rows.) The table exposes the following information:[9][10][11]

  • Permission code: Each access control entry (ACE) specifies its permission with binary code. There are 14 codes (12 in older systems.)
  • Meaning: Each permission code has a meaning, depending on whether it is applied to a file or a folder. For example, code 0x01 on a file indicates the permission to read the file, while on a folder indicates the permission to list the content of the folder. Knowing the meaning alone, however, is useless. An ACE must also specify to whom the permission applies, and whether that permission is granted or denied.
  • Included in: In addition to individual permissions, an ACE can specify special permissions known as "generic access rights." These special permissions are equivalents of a number individual permissions. For example, GENERIC_READ (or GR) is the equivalent of "Read data", "Read attributes", "Read extended attributes", "Read permissions", and "Synchronize". Because it makes sense to ask for these five at the same time, requesting "GENERIC_READ" is more convenient.
  • Alias: The two Windows command-line utilities (icacls and cacls) have their own aliases for these permissions.
Permission
code 		Meaning Included in Alias
For files For folders R[a] E[b] W[c] A[d] M[e] In icacls In cacls
0x01 Read data List folder contents Yes Yes Yes Yes RD FILE_READ_DATA
0x80 Read attributes Yes Yes Yes Yes RA FILE_READ_ATTRIBUTES
0x08 Read extended attributes Yes Yes Yes Yes REA FILE_READ_EA
0x20 Execute file Traverse folder Yes Yes Yes X FILE_EXECUTE
0x20000 Read permissions Yes Yes Yes Yes Yes RC READ_CONTROL
0x100000 Synchronize Yes Yes Yes Yes Yes S SYNCHRONIZE
0x02 Write data Create files Yes Yes Yes WD FILE_WRITE_DATA
0x04 Append data Create folders Yes Yes Yes AD FILE_APPEND_D
0x100 Write attributes Yes Yes Yes WA FILE_WRITE_ATTRIBUTES
0x10 Write extended attributes Yes Yes Yes WEA FILE_WRITE_EA
0x10000 Delete (or rename[12]) Yes Yes DE DELETE
0x40000 Change permissions Yes WDAC WRITE_DAC
0x80000 Take ownership Yes WO WRITE_OWNER
0x40 Delete subfolders and files Yes DC FILE_DELETE_CHILD

Most of these permissions are self-explanatory, except the following:

  1. Renaming a file requires the "Delete" permission.[12]
  2. File Explorer doesn't show "Synchronize" and always sets it. Multi-threaded apps like File Explorer and Windows Command Prompt need the "Synchronize" permission to be able to work with files and folders.[13]


Footnotes

  1. ^ GENERIC_READ, known as "Read" in File Explorer
  2. ^ GENERIC_EXECUTE, known as "Read & Execute" in File Explorer
  3. ^ GENERIC_WRITE, known as "Write" in File Explorer
  4. ^ GENERIC_ALL, known as "Full Control" in File Explorer
  5. ^ Known as "Modify" in File Explorer

See also

References

  1. ^ "Securable Objects". Microsoft. 2008-04-24. Retrieved 2008-07-16.
  2. ^ "What Are Security Descriptors and Access Control Lists?". Microsoft. Archived from the original on 2008-05-05. Retrieved 2008-07-16.
  3. ^ "DACLs and ACEs". Microsoft. 2008-04-24. Retrieved 2008-07-16.
  4. ^ https://msdn.microsoft.com/en-us/library/bb625957.aspx What is the Windows Integrity Mechanism?
  5. ^ SubInACL home page
  6. ^ FILEACL home page Archived 2012-08-29 at the Wayback Machine
  7. ^ "FILEACL v3.0.1.6". Microsoft. 2004-03-23. Archived from the original on April 16, 2008. Retrieved 2008-07-25.
  8. ^ "ACCESS_MASK Data Type". Microsoft. 2008-04-24. Retrieved 2008-07-23.
  9. ^ "How Permissions Work". Microsoft. 2013-06-21. Retrieved 2017-11-24.
  10. ^ Richard Civil (8 September 2016). "How IT works NTFS Permissions, Part 2". Microsoft. Retrieved 2017-11-24.
  11. ^ Richard Civil (30 August 2016). "How IT works NTFS Permissions". Microsoft. Retrieved 2017-11-24.
  12. ^ a b Chen, Raymond (22 October 2021). "Renaming a file is a multi-step process, only one of which is changing the name of the file". The Old New Thing. Microsoft. Opening with DELETE permission grants permission to rename the file. The required permission is DELETE because the old name is being deleted.
  13. ^ Chen, Raymond (18 November 2019). "I set the same ACL with the GUI and with icacls, yet the results are different". The Old New Thing. Microsoft.

 

Index: pl ar de en es fr it arz nl ja pt ceb sv uk vi war zh ru af ast az bg zh-min-nan bn be ca cs cy da et el eo eu fa gl ko hi hr id he ka la lv lt hu mk ms min no nn ce uz kk ro simple sk sl sr sh fi ta tt th tg azb tr ur zh-yue hy my ace als am an hyw ban bjn map-bms ba be-tarask bcl bpy bar bs br cv nv eml hif fo fy ga gd gu hak ha hsb io ig ilo ia ie os is jv kn ht ku ckb ky mrj lb lij li lmo mai mg ml zh-classical mr xmf mzn cdo mn nap new ne frr oc mhr or as pa pnb ps pms nds crh qu sa sah sco sq scn si sd szl su sw tl shn te bug vec vo wa wuu yi yo diq bat-smg zu lad kbd ang smn ab roa-rup frp arc gn av ay bh bi bo bxr cbk-zam co za dag ary se pdc dv dsb myv ext fur gv gag inh ki glk gan guw xal haw rw kbp pam csb kw km kv koi kg gom ks gcr lo lbe ltg lez nia ln jbo lg mt mi tw mwl mdf mnw nqo fj nah na nds-nl nrm nov om pi pag pap pfl pcd krc kaa ksh rm rue sm sat sc trv stq nso sn cu so srn kab roa-tara tet tpi to chr tum tk tyv udm ug vep fiu-vro vls wo xh zea ty ak bm ch ny ee ff got iu ik kl mad cr pih ami pwn pnt dz rmy rn sg st tn ss ti din chy ts kcg ve
Prefix: a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9

Portal di Ensiklopedia Dunia

Portal : Agama
Agama
Portal : Bahasa
Bahasa
Portal : Biografi
Biografi
Portal : Budaya
Budaya
Portal : Ekonomi
Ekonomi
Portal : Elektronika
Elektronika
Portal : Film
Film
Portal : Filsafat
Filsafat
Portal : Geografi
Geografi
Portal : Indonesia
Indonesia
Portal : Ilmu
Ilmu
Portal : Lingkungan
Lingkungan
Portal : Masyarakat
Masyarakat
Portal : Matematika
Matematika
Portal : Militer
Militer
Portal : Mitologi
Mitologi
Portal : Musik
Musik
Portal : Olahraga
Olahraga
Portal : Pendidikan
Pendidikan
Portal : Politik
Politik
Portal : Sastra
Sastra
Portal : Sejarah
Sejarah
Portal : Seni
Seni
Portal : Teknologi
Teknologi