SDCheck Notes |
|
| Open Command Prompt | |
The security descriptor is the structure of the list of permissions for an object.
The descriptor contains a header that includes a revision number and control flags. It also contains the Owner's SID (Security Identifier), and the SID of the object's primary group. A security descriptor can also contain two other lists: A Discretionary Access Control List (DACL) and a System Access Control List (SACL).
The DACL is used to determine what access can be allowed to an object. It contains access control entries (ACE) that define which SIDs have what priveledges. An ACE has three parts: Header, SID, and Mask. The Header describes whether it allows or denies access. The SID is the Security Identifier of the group or user that the ACE pertains to. The Mask tells what access type the ACE is referring to.
When an access request is recieved, the system scans the DACL to see if any of the SIDs match any of the SIDs of the requester. If no matches are found or a Deny is found, then access is denied. All the SIDs are scanned, because a Deny Access always has a higher priority than any Allow. The only exception to this rule is that the owner of an object ALWAYS has full control of the object.
A SACL is is similar to a DACL, except that it is used for auditing purposes. If the user's SID is listed in the SACL's ACE, then audit event will be recorded in the event log.