Security descriptor

Last updated January 09, 2025

Security descriptors are data structures of security information for securable Windows objects, that is objects that can be identified by a unique name. Security descriptors can be associated with any named objects, including files, folders, shares, registry keys, processes, threads, named pipes, services, job objects and other resources.^[1]

Security descriptors contain discretionary access control lists (DACLs) that contain access control entries (ACEs) that grant and deny access to trustees such as users or groups. They also contain a system access control list (SACLs) that control auditing of object access.^[2]^[3] ACEs may be explicitly applied to an object or inherited from a parent object. The order of ACEs in an ACL is important, with access denied ACEs appearing higher in the order than ACEs that grant access. Security descriptors also contain the object owner.

Mandatory Integrity Control is implemented through a new type of ACE on a security descriptor.^[4]

Files and folder permissions can be edited by various tools including Windows Explorer, WMI, command line tools like Cacls, XCacls, ICacls, SubInACL,^[5] the freeware Win32 console FILEACL,^[6]^[7] the free software utility SetACL, and other utilities. To edit a security descriptor, a user needs WRITE_DAC permissions to the object,^[8] a permission that is usually delegated by default to administrators and the object's owner.

Permissions in NTFS

The following table summarizes NTFS permissions and their roles (in individual rows.) The table exposes the following information:^[9]^[10]^[11]

Permission code: Each access control entry (ACE) specifies its permission with binary code. There are 14 codes (12 in older systems.)
Meaning: Each permission code has a meaning, depending on whether it is applied to a file or a folder. For example, code 0x01 on a file indicates the permission to read the file, while on a folder indicates the permission to list the content of the folder. Knowing the meaning alone, however, is useless. An ACE must also specify to whom the permission applies, and whether that permission is granted or denied.
Included in: In addition to individual permissions, an ACE can specify special permissions known as "generic access rights." These special permissions are equivalents of a number individual permissions. For example, GENERIC_READ (or GR) is the equivalent of "Read data", "Read attributes", "Read extended attributes", "Read permissions", and "Synchronize". Because it makes sense to ask for these five at the same time, requesting "GENERIC_READ" is more convenient.
Alias: The two Windows command-line utilities (icacls and cacls) have their own aliases for these permissions.

Permission code	Meaning		Included in					Alias
Permission code	For files	For folders	R^[a]	E^[b]	W^[c]	A^[d]	M^[e]	In icacls	In cacls
0x01	Read data	List folder contents	Yes	Yes		Yes	Yes	RD	FILE_READ_DATA
0x80	Read attributes		Yes	Yes		Yes	Yes	RA	FILE_READ_ATTRIBUTES
0x08	Read extended attributes		Yes	Yes		Yes	Yes	REA	FILE_READ_EA
0x20	Execute file	Traverse folder		Yes		Yes	Yes	X	FILE_EXECUTE
0x20000	Read permissions		Yes	Yes	Yes	Yes	Yes	RC	READ_CONTROL
0x100000	Synchronize		Yes	Yes	Yes	Yes	Yes	S	SYNCHRONIZE
0x02	Write data	Create files			Yes	Yes	Yes	WD	FILE_WRITE_DATA
0x04	Append data	Create folders			Yes	Yes	Yes	AD	FILE_APPEND_D
0x100	Write attributes				Yes	Yes	Yes	WA	FILE_WRITE_ATTRIBUTES
0x10	Write extended attributes				Yes	Yes	Yes	WEA	FILE_WRITE_EA
0x10000	Delete (or rename^[12])					Yes	Yes	DE	DELETE
0x40000	Change permissions					Yes		WDAC	WRITE_DAC
0x80000	Take ownership					Yes		WO	WRITE_OWNER
0x40	Delete subfolders and files					Yes		DC	FILE_DELETE_CHILD

Most of these permissions are self-explanatory, except the following:

Renaming a file requires the "Delete" permission.^[12]
File Explorer doesn't show "Synchronize" and always sets it. Multi-threaded apps like File Explorer and Windows Command Prompt need the "Synchronize" permission to be able to work with files and folders.^[13]

Footnotes

↑ GENERIC_READ, known as "Read" in File Explorer
↑ GENERIC_EXECUTE, known as "Read & Execute" in File Explorer
↑ GENERIC_WRITE, known as "Write" in File Explorer
↑ GENERIC_ALL, known as "Full Control" in File Explorer
↑ Known as "Modify" in File Explorer

Related Research Articles

A computer file is a resource for recording data on a computer storage device, primarily identified by its filename. Just as words can be written on paper, so too can data be written to a computer file. Files can be shared with and transferred between computers and mobile devices via removable media, networks, or the Internet.

NT File System (NTFS) is a proprietary journaling file system developed by Microsoft in the 1990s.

In Unix and Unix-like operating systems, chmod is the command and system call used to change the access permissions and the special mode flags of file system objects. Collectively these were originally called its modes, and the name chmod was chosen as an abbreviation of change mode.

In computer security, an access-control list (ACL) is a list of permissions associated with a system resource. An ACL specifies which users or system processes are granted access to resources, as well as what operations are allowed on given resources. Each entry in a typical ACL specifies a subject and an operation. For instance,

In computing, a symbolic link is a file whose purpose is to point to a file or directory by specifying a path thereto.

In computing, a file system or filesystem governs file organization and access. A local file system is a capability of an operating system that services the applications running on the same computer. A distributed file system is a protocol that provides file access between networked computers.

<span class="mw-page-title-main">Windows Registry</span> Database for Microsoft Windows

The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interfaces can all use the registry. The registry also allows access to counters for profiling system performance.

File locking is a mechanism that restricts access to a computer file, or to a region of a file, by allowing only one user or process to modify or delete it at a specific time, and preventing reading of the file while it's being modified or deleted.

In a computer file system, a fork is a set of data associated with a file-system object. File systems without forks only allow a single set of data for the contents, while file systems with forks allow multiple such contents. Every non-empty file must have at least one fork, often of default type, and depending on the file system, a file may have one or more other associated forks, which in turn may contain primary data integral to the file, or just metadata.

File attributes are a type of metadata that describe and may modify how files and/or directories in a filesystem behave. Typical file attributes may, for example, indicate or specify whether a file is visible, modifiable, compressed, or encrypted. The availability of most file attributes depends on support by the underlying filesystem where attribute data must be stored along with other control structures. Each attribute can have one of two states: set and cleared. Attributes are considered distinct from other metadata, such as dates and times, filename extensions or file system permissions. In addition to files, folders, volumes and other file system objects may have attributes.

File Manager is a file manager program bundled with releases of OS/2 and Microsoft Windows between 1988 and 2000. It is a single-instance graphical interface, replacing the command-line interface of MS-DOS to manage files and MS-DOS Executive file manager from previous Windows versions.

System File Checker (SFC) is a utility in Microsoft Windows that allows users to scan for and restore corrupted Windows system files.

As the next version of Windows NT after Windows 2000, as well as the successor to Windows Me, Windows XP introduced many new features but it also removed some others.

Robocopy is a command-line file transfer utility for Microsoft Windows. Robocopy is functionally more comprehensive than the COPY command and XCOPY, but replaces neither. Created by Kevin Allen and first released as part of the Windows NT 4.0 Resource Kit, it has been a standard feature of Windows since Windows Vista and Windows Server 2008.

In Microsoft Windows, cacls, and its replacement icacls, are native command-line utilities that can display and modify the security descriptors on files and folders. An access-control list is a list of permissions for securable object, such as a file or folder, that controls who can access it. The cacls command is also available on ReactOS.

Windows Vista contains a range of new technologies and features that are intended to help network administrators and power users better manage their systems. Notable changes include a complete replacement of both the Windows Setup and the Windows startup processes, completely rewritten deployment mechanisms, new diagnostic and health monitoring tools such as random access memory diagnostic program, support for per-application Remote Desktop sessions, a completely new Task Scheduler, and a range of new Group Policy settings covering many of the features new to Windows Vista. Subsystem for UNIX Applications, which provides a POSIX-compatible environment is also introduced.

Windows Resource Protection is a feature first introduced in Windows Vista and Windows Server 2008. It is available in all subsequent Windows operating systems, and replaces Windows File Protection. Windows Resource Protection prevents the replacement of critical system files, registry keys and folders. Protecting these resources prevents system crashes. The way it protects resources differs entirely from the method used by Windows File Protection.

Mandatory Integrity Control (MIC) is a core security feature of Windows Vista and later that adds mandatory access control to running processes based on their Integrity Level (IL). The IL represents the level of trustworthiness of an object. This mechanism's goal is to restrict the access permissions for potentially less trustworthy contexts, compared with other contexts running under the same user account that are more trusted.

SetACL is a freeware utility for manipulating security descriptors on Microsoft Windows. It used to be available under the GNU Lesser General Public License (LGPL) as a command-line utility and as an ActiveX component, but changed to a freeware license in version 3.0.0.0.

References

↑ "Securable Objects". Microsoft. 2008-04-24. Retrieved 2008-07-16.
↑ "What Are Security Descriptors and Access Control Lists?". Microsoft. Archived from the original on 2008-05-05. Retrieved 2008-07-16.
↑ "DACLs and ACEs". Microsoft. 2008-04-24. Retrieved 2008-07-16.
↑ https://msdn.microsoft.com/en-us/library/bb625957.aspx What is the Windows Integrity Mechanism?
↑ SubInACL home page
↑ FILEACL home page Archived 2012-08-29 at the Wayback Machine
↑ "FILEACL v3.0.1.6". Microsoft. 2004-03-23. Archived from the original on April 16, 2008. Retrieved 2008-07-25.
↑ "ACCESS_MASK Data Type". Microsoft. 2008-04-24. Retrieved 2008-07-23.
↑ "How Permissions Work". Microsoft. 2013-06-21. Retrieved 2017-11-24.
↑ Richard Civil (8 September 2016). "How IT works NTFS Permissions, Part 2". Microsoft . Retrieved 2017-11-24.
↑ Richard Civil (30 August 2016). "How IT works NTFS Permissions". Microsoft . Retrieved 2017-11-24.
1 2 Chen, Raymond (22 October 2021). "Renaming a file is a multi-step process, only one of which is changing the name of the file". The Old New Thing. Microsoft. Opening with DELETE permission grants permission to rename the file. The required permission is DELETE because the old name is being deleted.
↑ Chen, Raymond (18 November 2019). "I set the same ACL with the GUI and with icacls, yet the results are different". The Old New Thing. Microsoft.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[12] GENERIC_READ, known as "Read" in File Explorer

[13] GENERIC_EXECUTE, known as "Read & Execute" in File Explorer

[14] GENERIC_WRITE, known as "Write" in File Explorer

[15] GENERIC_ALL, known as "Full Control" in File Explorer

[16] Known as "Modify" in File Explorer

[1] "Securable Objects". Microsoft. 2008-04-24. Retrieved 2008-07-16.

[2] "What Are Security Descriptors and Access Control Lists?". Microsoft. Archived from the original on 2008-05-05. Retrieved 2008-07-16.

[3] "DACLs and ACEs". Microsoft. 2008-04-24. Retrieved 2008-07-16.

[4] ttps://msdn.microsoft.com/en-us/library/bb625957.aspx What is the Windows Integrity Mechanism?

[5] SubInACL home page

[6] FILEACL home page Archived 2012-08-29 at the Wayback Machine

[7] "FILEACL v3.0.1.6". Microsoft. 2004-03-23. Archived from the original on April 16, 2008. Retrieved 2008-07-25.

[8] "ACCESS_MASK Data Type". Microsoft. 2008-04-24. Retrieved 2008-07-23.

[9] "How Permissions Work". Microsoft. 2013-06-21. Retrieved 2017-11-24.

[10] Richard Civil (8 September 2016). "How IT works NTFS Permissions, Part 2". Microsoft . Retrieved 2017-11-24.

[11] Richard Civil (30 August 2016). "How IT works NTFS Permissions". Microsoft . Retrieved 2017-11-24.

[Rename1-17] 1 2 Chen, Raymond (22 October 2021). "Renaming a file is a multi-step process, only one of which is changing the name of the file". The Old New Thing. Microsoft. Opening with DELETE permission grants permission to rename the file. The required permission is DELETE because the old name is being deleted.

[18] Chen, Raymond (18 November 2019). "I set the same ACL with the GUI and with icacls, yet the results are different". The Old New Thing. Microsoft.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[a]

[b]

[c]

[d]

[e]

[12]

[13]