Security descriptor

Last updated

Security descriptors are data structures of security information for securable Windows objects, that is objects that can be identified by a unique name. Security descriptors can be associated with any named objects, including files, folders, shares, registry keys, processes, threads, named pipes, services, job objects and other resources. [1]

Contents

Security descriptors contain discretionary access control lists (DACLs) that contain access control entries (ACEs) that grant and deny access to trustees such as users or groups. They also contain a system access control list (SACLs) that control auditing of object access. [2] [3] ACEs may be explicitly applied to an object or inherited from a parent object. The order of ACEs in an ACL is important, with access denied ACEs appearing higher in the order than ACEs that grant access. Security descriptors also contain the object owner.

Mandatory Integrity Control is implemented through a new type of ACE on a security descriptor. [4]

Files and folder permissions can be edited by various tools including Windows Explorer, WMI, command line tools like Cacls, XCacls, ICacls, SubInACL, [5] the freeware Win32 console FILEACL, [6] [7] the free software utility SetACL, and other utilities. To edit a security descriptor, a user needs WRITE_DAC permissions to the object, [8] a permission that is usually delegated by default to administrators and the object's owner.

Permissions in NTFS

The following table summarizes NTFS permissions and their roles (in individual rows.) The table exposes the following information: [9] [10] [11]

Permission
code
MeaningIncluded inAlias
For filesFor foldersR [lower-alpha 1] E [lower-alpha 2] W [lower-alpha 3] A [lower-alpha 4] M [lower-alpha 5] In icacls In cacls
0x01Read dataList folder contentsYesYesYesYesRDFILE_READ_DATA
0x80Read attributesYesYesYesYesRAFILE_READ_ATTRIBUTES
0x08Read extended attributesYesYesYesYesREAFILE_READ_EA
0x20Execute fileTraverse folderYesYesYesXFILE_EXECUTE
0x20000Read permissionsYesYesYesYesYesRCREAD_CONTROL
0x100000SynchronizeYesYesYesYesYesSSYNCHRONIZE
0x02Write dataCreate filesYesYesYesWDFILE_WRITE_DATA
0x04Append dataCreate foldersYesYesYesADFILE_APPEND_D
0x100Write attributesYesYesYesWAFILE_WRITE_ATTRIBUTES
0x10Write extended attributesYesYesYesWEAFILE_WRITE_EA
0x10000Delete (or rename [12] )YesYesDEDELETE
0x40000Change permissionsYesWDACWRITE_DAC
0x80000Take ownershipYesWOWRITE_OWNER
0x40Delete subfolders and filesYesDCFILE_DELETE_CHILD

Most of these permissions are self-explanatory, except the following:

  1. Renaming a file requires the "Delete" permission. [12]
  2. File Explorer doesn't show "Synchronize" and always sets it. Multi-threaded apps like File Explorer and Windows Command Prompt need the "Synchronize" permission to be able to work with files and folders. [13]

Footnotes

  1. GENERIC_READ, known as "Read" in File Explorer
  2. GENERIC_EXECUTE, known as "Read & Execute" in File Explorer
  3. GENERIC_WRITE, known as "Write" in File Explorer
  4. GENERIC_ALL, known as "Full Control" in File Explorer
  5. Known as "Modify" in File Explorer

See also

Related Research Articles

NTFS is a proprietary journaling file system developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of the Windows NT family.

In computer security, an access-control list (ACL) is a list of permissions associated with a system resource (object). An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. For instance, if a file object has an ACL that contains (Alice: read,write; Bob: read), this would give Alice permission to read and write the file and only give Bob permission to read it.

In computing, a symbolic link is a term for any file that contains a reference to another file or directory in the form of an absolute or relative path and that affects pathname resolution.

Utility software is software designed to help analyze, configure, optimize or maintain a computer. It is used to support the computer infrastructure - in contrast to application software, which is aimed at directly performing tasks that benefit ordinary users. However, utilities often form part of the application systems. For example, a batch job may run user-written code to update a database and may then include a step that runs a utility to back up the database, or a job may run a utility to compress a disk before copying files.

File system Format or program for storing files and directories

In computing, file system or filesystem is a method and data structure that the operating system uses to control how data is stored and retrieved. Without a file system, data placed in a storage medium would be one large body of data with no way to tell where one piece of data stops and the next begins. By separating the data into pieces and giving each piece a name, the data is easily isolated and identified. Taking its name from the way paper-based data management system is named, each group of data is called a "file." The structure and logic rules used to manage the groups of data and their names is called a "file system."

Windows Registry Database for Microsoft Windows

The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interfaces can all use the registry. The registry also allows access to counters for profiling system performance.

File locking is a mechanism that restricts access to a computer file, or to a region of a file, by allowing only one user or process to modify or delete it at a specific time and to prevent reading of the file while it's being modified or deleted.

In a computer file system, a fork is a set of data associated with a file-system object. File systems without forks only allow a single set of data for the contents, while file systems with forks allow multiple such contents. Every non-empty file must have at least one fork, often of default type, and depending on the file system, a file may have one or more other associated forks, which in turn may contain primary data integral to the file, or just metadata.

File attributes are a type of meta-data that describe and may modify how files and/or directories in a filesystem behave. Typical file attributes may, for example, indicate or specify whether a file is visible, modifiable, compressed, or encrypted. The availability of most file attributes depends on support by the underlying filesystem where attribute data must be stored along with other control structures. Each attribute can have one of two states: set and cleared. Attributes are considered distinct from other metadata, such as dates and times, filename extensions or file system permissions. In addition to files, folders, volumes and other file system objects may have attributes.

File Manager (Windows) File manager bundled with Microsoft Windows in the 1990s

File Manager is a file manager program bundled with releases of OS/2 and Microsoft Windows between 1990 and 1999 and available from 6 April 2018 as an optional download for all modern releases of Windows, including Windows 10.

System File Checker (SFC) is a utility in Microsoft Windows that allows users to scan for and restore corruptions in Windows system files.

As the next version of Windows NT after Windows 2000, as well as the successor to Windows Me, Windows XP introduced many new features but it also removed some others.

Robocopy, for "Robust File Copy", is a command-line directory and/or file replication command for Microsoft Windows. Robocopy functionally replaces Xcopy, with more options. Created by Kevin Allen and first released as part of the Windows NT 4.0 Resource Kit, it has been a standard feature of Windows since Windows Vista and Windows Server 2008. The command is robocopy.

The NTFS file system defines various ways to redirect files and folders, e.g., to make a file point to another file or its contents. The object being pointed to is called the target. There are three classes of links:

In computing, cacls and its replacement, icacls, are Microsoft Windows native command-line utilities capable of displaying and modifying the security descriptors on folders and files. An access-control list is a list of permissions for securable object, such as a file or folder, that controls who can access it. The cacls command is also available on ReactOS.

AGDLP briefly summarizes Microsoft's recommendations for implementing role-based access controls (RBAC) using nested groups in a native-mode Active Directory (AD) domain: User and computer accounts are members of global groups that represent business roles, which are members of domain local groups that describe resource permissions or user rights assignments. AGUDLP and AGLP summarize similar RBAC implementation schemes in Active Directory forests and in Windows NT domains, respectively.

Windows Vista contains a range of new technologies and features that are intended to help network administrators and power users better manage their systems. Notable changes include a complete replacement of both the Windows Setup and the Windows startup processes, completely rewritten deployment mechanisms, new diagnostic and health monitoring tools such as random access memory diagnostic program, support for per-application Remote Desktop sessions, a completely new Task Scheduler, and a range of new Group Policy settings covering many of the features new to Windows Vista. Subsystem for UNIX Applications, which provides a POSIX-compatible environment is also introduced.

Mandatory Integrity Control (MIC) is a core security feature of Windows Vista and later that adds mandatory access control running processes based on their Integrity Level (IL). The IL represents the level of trustworthiness of an object. This mechanism's goal is to restrict the access permissions for potentially less trustworthy contexts, compared with other contexts running under the same user account that are more trusted.

SetACL is a freeware utility for manipulating security descriptors on Microsoft Windows. It used to be available under the GNU Lesser General Public License (LGPL) as a command-line utility and as an ActiveX component, but changed to a freeware license in version 3.0.0.0.

References

  1. "Securable Objects". Microsoft. 2008-04-24. Retrieved 2008-07-16.
  2. "What Are Security Descriptors and Access Control Lists?". Microsoft. Archived from the original on 2008-05-05. Retrieved 2008-07-16.
  3. "DACLs and ACEs". Microsoft. 2008-04-24. Retrieved 2008-07-16.
  4. https://msdn.microsoft.com/en-us/library/bb625957.aspx What is the Windows Integrity Mechanism?
  5. SubInACL home page
  6. FILEACL home page Archived 2012-08-29 at the Wayback Machine
  7. "FILEACL v3.0.1.6". Microsoft. 2004-03-23. Archived from the original on April 16, 2008. Retrieved 2008-07-25.
  8. "ACCESS_MASK Data Type". Microsoft. 2008-04-24. Retrieved 2008-07-23.
  9. "How Permissions Work". Microsoft. 2013-06-21. Retrieved 2017-11-24.
  10. Richard Civil. "How IT works NTFS Permissions, Part 2". Microsoft . Retrieved 2017-11-24.
  11. Richard Civil. "How IT works NTFS Permissions". Microsoft . Retrieved 2017-11-24.
  12. 1 2 Chen, Raymond (22 October 2021). "Renaming a file is a multi-step process, only one of which is changing the name of the file". The Old New Thing. Microsoft. Opening with DELETE permission grants permission to rename the file. The required permission is DELETE because the old name is being deleted.
  13. Chen, Raymond (18 November 2019). "I set the same ACL with the GUI and with icacls, yet the results are different". The Old New Thing. Microsoft.