Security descriptor
Security descriptors are data structures of security information for securable Windows objects, that is objects that can be identified by a unique name. Security descriptors can be associated with any named objects, including files, folders, shares, registry keys, processes, threads, named pipes, services, job objects and other resources.{{cite web|url=https://msdn.microsoft.com/en-us/library/aa379557(VS.85).aspx|title=Securable Objects|publisher=Microsoft|date=2008-04-24|accessdate=2008-07-16}}
Security descriptors contain discretionary access control lists (DACLs) that contain access control entries (ACEs) that grant and deny access to trustees such as users or groups. They also contain a system access control list (SACLs) that control auditing of object access.{{cite web|url=http://technet2.microsoft.com/windowsserver/en/library/d4f08d96-f360-451f-bed3-61a60bc2acde1033.mspx?mfr=true|title=What Are Security Descriptors and Access Control Lists?|publisher=Microsoft|accessdate=2008-07-16|url-status=dead|archiveurl=https://web.archive.org/web/20080505125439/http://technet2.microsoft.com/windowsserver/en/library/d4f08d96-f360-451f-bed3-61a60bc2acde1033.mspx?mfr=true|archivedate=2008-05-05}}{{cite web|url=https://msdn.microsoft.com/en-us/library/aa446597(VS.85).aspx|title=DACLs and ACEs|publisher=Microsoft|date=2008-04-24|accessdate=2008-07-16}} ACEs may be explicitly applied to an object or inherited from a parent object. The order of ACEs in an ACL is important, with access denied ACEs appearing higher in the order than ACEs that grant access. Security descriptors also contain the object owner.
Mandatory Integrity Control is implemented through a new type of ACE on a security descriptor.https://msdn.microsoft.com/en-us/library/bb625957.aspx What is the Windows Integrity Mechanism?
Files and folder permissions can be edited by various tools including Windows Explorer, WMI, command line tools like Cacls, XCacls, ICacls, SubInACL,[http://www.microsoft.com/downloadS/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en SubInACL home page] the freeware Win32 console FILEACL,[http://www.gbordier.com/gbtools/fileacl.asp FILEACL home page] {{webarchive|url=https://web.archive.org/web/20120829072234/http://www.gbordier.com/gbtools/fileacl.asp |date=2012-08-29 }}{{cite web|url=http://www.microsoft.com/DOWNLOADS/details.aspx?FamilyID=723f64ea-34f0-4e6d-9a72-004d35de4e64&displaylang=en |title=FILEACL v3.0.1.6 |publisher=Microsoft |date=2004-03-23 |accessdate=2008-07-25 |url-status=dead |archiveurl=https://web.archive.org/web/20080416053942/http://www.microsoft.com/downloads/details.aspx?FamilyID=723F64EA-34F0-4E6D-9A72-004D35DE4E64&displaylang=en |archivedate=April 16, 2008 }} the free software utility SetACL, and other utilities. To edit a security descriptor, a user needs WRITE_DAC permissions to the object,{{cite web|url=https://msdn.microsoft.com/en-us/library/aa374892(VS.85).aspx|title=ACCESS_MASK Data Type|publisher=Microsoft|date=2008-04-24|accessdate=2008-07-23}} a permission that is usually delegated by default to administrators and the object's owner.
Permissions in NTFS
The following table summarizes NTFS permissions and their roles (in individual rows.) The table exposes the following information:{{Cite web|url=https://technet.microsoft.com/en-us/library/cc783530(v=ws.10).aspx|title=How Permissions Work|publisher=Microsoft|date=2013-06-21|accessdate=2017-11-24}}{{Cite web|url=https://technet.microsoft.com/en-us/library/2006.01.howitworksntfs.aspx|title=How IT works NTFS Permissions, Part 2|author=Richard Civil|date=8 September 2016 |publisher=Microsoft|accessdate=2017-11-24}}{{Cite web|url=https://technet.microsoft.com/en-us/library/2005.11.HowITWorksNTFS.aspx|title=How IT works NTFS Permissions|author=Richard Civil|date=30 August 2016 |publisher=Microsoft|accessdate=2017-11-24}}
- Permission code: Each access control entry (ACE) specifies its permission with binary code. There are 14 codes (12 in older systems.)
- Meaning: Each permission code has a meaning, depending on whether it is applied to a file or a folder. For example, code 0x01 on a file indicates the permission to read the file, while on a folder indicates the permission to list the content of the folder. Knowing the meaning alone, however, is useless. An ACE must also specify to whom the permission applies, and whether that permission is granted or denied.
- Included in: In addition to individual permissions, an ACE can specify special permissions known as "generic access rights." These special permissions are equivalents of a number individual permissions. For example, GENERIC_READ (or GR) is the equivalent of "Read data", "Read attributes", "Read extended attributes", "Read permissions", and "Synchronize". Because it makes sense to ask for these five at the same time, requesting "GENERIC_READ" is more convenient.
- Alias: The two Windows command-line utilities (icacls and cacls) have their own aliases for these permissions.
| class="wikitable" | ||||||||
| rowspan="2" | Permission code ! colspan="2" | Meaning ! colspan="5" | Included in ! colspan="2" | Alias | ||||||||
|---|---|---|---|---|---|---|---|---|
| For files
! For folders ! R{{efn|GENERIC_READ, known as "Read" in File Explorer}} ! E{{efn|GENERIC_EXECUTE, known as "Read & Execute" in File Explorer}} ! W{{efn|GENERIC_WRITE, known as "Write" in File Explorer}} ! A{{efn|GENERIC_ALL, known as "Full Control" in File Explorer}} ! M{{efn|Known as "Modify" in File Explorer}} ! In icacls ! In cacls | ||||||||
| style="text-align:right" | 0x01 | Read data | List folder contents
| {{Yes}} | {{Yes}} | {{Yes}} | {{Yes}} | RD | FILE_READ_DATA | |
| style="text-align:right" | 0x80 | colspan="2" | Read attributes
| {{Yes}} | {{Yes}} | {{Yes}} | {{Yes}} | RA | FILE_READ_ATTRIBUTES | ||
| style="text-align:right" | 0x08 | colspan="2" | Read extended attributes
| {{Yes}} | {{Yes}} | {{Yes}} | {{Yes}} | REA | FILE_READ_EA | ||
| style="text-align:right" | 0x20 | Execute file | Traverse folder
| | {{Yes}} | {{Yes}} | {{Yes}} | X | FILE_EXECUTE | |
| style="text-align:right" | 0x20000 | colspan="2" | Read permissions
| {{Yes}} | {{Yes}} | {{Yes}} | {{Yes}} | {{Yes}} | RC | READ_CONTROL | |
| style="text-align:right" | 0x100000 | colspan="2" | Synchronize
| {{Yes}} | {{Yes}} | {{Yes}} | {{Yes}} | {{Yes}} | S | SYNCHRONIZE | |
| style="text-align:right" | 0x02 | Write data | Create files
| | {{Yes}} | {{Yes}} | {{Yes}} | WD | FILE_WRITE_DATA | |
| style="text-align:right" | 0x04 | Append data | Create folders
| | {{Yes}} | {{Yes}} | {{Yes}} | AD | FILE_APPEND_D | |
| style="text-align:right" | 0x100 | colspan="2" | Write attributes
| | {{Yes}} | {{Yes}} | {{Yes}} | WA | FILE_WRITE_ATTRIBUTES | ||
| style="text-align:right" | 0x10 | colspan="2" | Write extended attributes
| | {{Yes}} | {{Yes}} | {{Yes}} | WEA | FILE_WRITE_EA | ||
| style="text-align:right" | 0x10000 | colspan="2" | Delete (or rename)
| | {{Yes}} | {{Yes}} | DE | DELETE | |||
| style="text-align:right" | 0x40000 | colspan="2" | Change permissions
| | {{Yes}} | WDAC | WRITE_DAC | ||||
| style="text-align:right" | 0x80000 | colspan="2" | Take ownership
| | {{Yes}} | WO | WRITE_OWNER | ||||
| style="text-align:right" | 0x40 | colspan="2" | Delete subfolders and files
| | {{Yes}} | DC | FILE_DELETE_CHILD |
Most of these permissions are self-explanatory, except the following:
- Renaming a file requires the "Delete" permission.
- File Explorer doesn't show "Synchronize" and always sets it. Multi-threaded apps like File Explorer and Windows Command Prompt need the "Synchronize" permission to be able to work with files and folders.{{cite web |last1=Chen |first1=Raymond |title=I set the same ACL with the GUI and with icacls, yet the results are different |url=https://devblogs.microsoft.com/oldnewthing/20191118-00/?p=103110 |website=The Old New Thing |publisher=Microsoft |date=18 November 2019}}
Footnotes
{{Notelist}}
See also
- {{section link|Access control|Computer security}}
- Information technology security audit
- Authorization
- Computer security
- Information security
- Token (Windows NT architecture)
- Windows SID
- SDDL
References
{{reflist|refs=
{{cite web |last1=Chen |first1=Raymond |title=Renaming a file is a multi-step process, only one of which is changing the name of the file |url=https://devblogs.microsoft.com/oldnewthing/20211022-00/?p=105822 |website=The Old New Thing |publisher=Microsoft |date=22 October 2021 |quote=Opening with DELETE permission grants permission to rename the file. The required permission is DELETE because the old name is being deleted.}}
}}
External links
- [https://ss64.com/nt/cacls.html CACLS command description on SS64.com]
- [http://setacl.sourceforge.net/ SetACL SourceForge page]
Category:Operating system security