Security Descriptors and Access Control Lists

Posted by on

Security descriptors are used to manage security to Windows and AD objects.  This is a brief overview of how they work.

  • Security Descriptor:
    • Defines the security applied to an object.  
    • Contain information about ...
      • Who owns an object
      • Who can access an object and how
      • What types of access are audited
    • Contain the access control list (ACL) for an object

  • Security Descriptor Components:
    • ACL : Access control list.  DACL and SACL are the two types of ACL.
    • DACL: Discretionary access control list: Identifies user and group access
    • SACL: System access control list: Controls how access is audited
    • ACE : Access control entry: ACEs are contained by DACLs and SACLs.  They are composed of three parts; 
      • Allow or deny
      • SID of the user or group
      • Operations allowed or denied.

  • ACE Types
    • Generic
      •  Access-denied - Used in a DACL to deny access
      •  Access-allowed - Used in a DACL to allow access
      •  System-audit - Used in a SACL to log attempts to access
    • Object Specific
      •  Access-denied, object-specific - Used in a DACL to deny access to a property or property set or to limit inheritance to a specified type of child object
      •  Access-allowed, object-specific - Used in a DACL to allow access to a property or property set or to limit inheritance to a specified type of child object
      •  System-audit, object-specific - Used in a SACL to log attempts to access a property or property set or to limit inheritance to a specified type of child object




  • Default Permissions: When an object is created a security descriptor can be created by the object creation process.  If one is not created it will be inherited from the parent object.  If no parent object data is available a default set of values is created.

  • Inherited and Explicit Permissions
    • Inherited permissions: Permissions that are inherited by a parent object
    • Explicit permissions: Permissions that are assigned directly to an object

  • Owner: The owner of an object.  The owner can modify and grant permission to an object.

  • Missing and Empty DACLs
    •  No DACL gives permission to everyone
    •  Empty DACL gives permission to noone

  • Ideal environment for ACLs:
    •  Security is designed using the theory of least privilege.  Users are only given access to objects they need to do their job.
    •  Groups, not users, are used to grant permission to resources.
    •  Security is applied in a consistant model.
    •  Permission to AD objects are not given to domain local groups




  • Securable Objects:
    • Files or folders on an NTFS file system
    • Active Directory objects 
    • Registry keys
    • Network shares
    • Local or remote printers
    • Windows services
    • Named pipes 
    • Anonymous pipes
    • Processes
    • Threads
    • File-mapping objects
    • Access tokens
    • Window-management objects (window stations and desktops)
    • Interprocess synchronization objects (events, mutexes, semaphores, and waitable timers)  
    • Job objects
    • Distributed Component Object Model (DCOM) objects


Source: "How Security Descriptors and Access Control Lists Work"
http://technet.microsoft.com/en-us/library/cc781716(v=ws.10).aspx

Comments

Post a Comment