The Windows NT security descriptor consist of:
-
the security descriptor header
-
an owner security identifier (SID)
-
a group security identifier (SID)
-
a system access control list (SACL)
-
a discretionary access control list (DACL)
In absolute format, a Windows NT security descriptor contains pointers to its information, not the information itself. In self-relative format, a security descriptor stores both the security descriptor and associated information in a contiguous block.
TODO Is a security descriptor in a byte stream always self-relative?
TODO: confirm and reword The self-relative form of the security descriptor is required if one wants to transmit the SECURITY_DESCRIPTOR structure as an opaque data structure for transmission in communication protocols over a wire, or for storage on secondary media; the absolute form cannot be transmitted because it contains pointers to objects that are generally not accessible to the recipient.
The security descriptor header is 20 bytes of size and consists of:
Offset | Size | Value | Description |
---|---|---|---|
0 |
1 |
Revision number |
|
1 |
1 |
Padding |
|
2 |
2 |
Control flags |
|
4 |
4 |
Reference to the owner SID |
|
8 |
4 |
Reference to the group SID |
|
12 |
4 |
Reference to the SACL |
|
16 |
4 |
Reference to the DACL |
The control flags determine how the reference values should be interpreted.
Value | Identifier | Description |
---|---|---|
0x0001 |
SE_OWNER_DEFAULTED |
Owner defaulted |
0x0002 |
SE_GROUP_DEFAULTED |
Group defaulted |
0x0004 |
SE_DACL_PRESENT |
DACL present |
0x0008 |
SE_DACL_DEFAULTED |
DACL defaulted |
0x0010 |
SE_SACL_PRESENT |
SACL present |
0x0020 |
SE_SACL_DEFAULTED |
SACL defaulted |
0x0100 |
SE_DACL_AUTO_INHERIT_REQ |
DACL Auto Inherit Req |
0x0200 |
SE_SACL_AUTO_INHERIT_REQ |
SACL Auto Inherit Req |
0x0400 |
SE_DACL_AUTO_INHERITED |
DACL Auto Inherited |
0x0800 |
SE_SACL_AUTO_INHERITED |
SACL Auto Inherited |
0x1000 |
SE_DACL_PROTECTED |
DACL Protected |
0x2000 |
SE_SACL_PROTECTED |
SACL Protected |
0x4000 |
SE_RM_CONTROL_VALID |
Resource Manager (RM) control valid |
0x8000 |
SE_SELF_RELATIVE |
Self Relative |
The security identifier (SID) is used throughout Windows NT-based software. A SID is normally represented like a string e.g.:
S-1-5-21-7623811015-3361044348-030300820-1013
The binary representation of the security identifier is variable of size and consists of:
Offset | Size | Value | Description |
---|---|---|---|
0 |
1 |
Revision number |
|
1 |
1 |
Number of sub authorities |
|
2 |
6 |
Authority |
|
8 |
4 x number |
An array of 32-bit little-endian values containing the sub authorities |
The 'S' in the string representation is not stored in the binary representation.
Both the DACL and the SACL are stored in the same data structure, referred to as the Access Control List (ACL).
The access control list header is 8 bytes of size and consists of:
Offset | Size | Value | Description |
---|---|---|---|
0 |
1 |
Revision |
|
1 |
1 |
Padding |
|
2 |
2 |
Size |
|
4 |
2 |
Count |
|
6 |
2 |
Padding |
The access control list header is followed by access control entries (ACE).
The access control entry header (ACE_HEADER) is 4 bytes of size and consists of:
Offset | Size | Value | Description |
---|---|---|---|
0 |
1 |
Type |
|
1 |
1 |
Flags |
|
2 |
2 |
Size |
The access control entry (ACE) header is followed by access entry data. The size and format of the ACE data is dependent on the flags.
Value | Identifier | Description |
---|---|---|
0x00 |
ACCESS_ALLOWED_ACE_TYPE |
Access allowed |
0x01 |
ACCESS_DENIED_ACE_TYPE |
Access denied |
0x02 |
SYSTEM_AUDIT_ACE_TYPE |
System-audit |
0x03 |
SYSTEM_ALARM_ACE_TYPE |
Reserved (System-alarm) |
0x04 |
ACCESS_ALLOWED_COMPOUND_ACE_TYPE |
Reserved |
0x05 |
ACCESS_ALLOWED_OBJECT_ACE_TYPE |
Access allowed |
0x06 |
ACCESS_DENIED_OBJECT_ACE_TYPE |
Access denied |
0x07 |
SYSTEM_AUDIT_OBJECT_ACE_TYPE |
System-audit |
0x08 |
SYSTEM_ALARM_OBJECT_ACE_TYPE |
Reserved (System-alarm) |
0x09 |
ACCESS_ALLOWED_CALLBACK_ACE_TYPE |
Access allowed |
0x0a |
ACCESS_DENIED_CALLBACK_ACE_TYPE |
Access denied |
0x0b |
ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE |
Access allowed |
0x0c |
ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE |
Access denied |
0x0d |
SYSTEM_AUDIT_CALLBACK_ACE_TYPE |
System-audit |
0x0e |
SYSTEM_ALARM_CALLBACK_ACE_TYPE |
Reserved (System-alarm) |
0x0f |
SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE |
System-audit |
0x10 |
SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE |
Reserved (System-alarm) |
0x11 |
SYSTEM_MANDATORY_LABEL_ACE_TYPE |
Mandatory label |
The basic ACE data structure is variable of size and consists of:
Offset | Size | Value | Description |
---|---|---|---|
0 |
4 |
Access rights flags (ACCESS_MASK) |
|
4 |
… |
SID |
The object ACE data structure is variable of size and consists of:
Offset | Size | Value | Description |
---|---|---|---|
0 |
4 |
Access rights flags (ACCESS_MASK) |
|
4 |
4 |
Object flags |
|
Present if ACE_OBJECT_TYPE_PRESENT object flag is set |
|||
8 |
16 |
Object type class identifier |
|
Present if ACE_INHERITED_OBJECT_TYPE_PRESENT object flag is set |
|||
… |
16 |
Inherited object type class identifier |
|
Common |
|||
40 |
… |
SID |
Value | Identifier | Description |
---|---|---|
0x01 |
OBJECT_INHERIT_ACE |
Noncontainer child objects inherit the ACE as an effective ACE. |
0x02 |
CONTAINER_INHERIT_ACE |
Child objects that are containers, such as directories, inherit the ACE as an effective ACE. The inherited ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set. |
0x04 |
NO_PROPAGATE_INHERIT_ACE |
If the ACE is inherited by a child object, the system clears the OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE flags in the inherited ACE. This prevents the ACE from being inherited by subsequent generations of objects. |
0x08 |
INHERIT_ONLY_ACE |
Indicates an inherit-only ACE, which does not control access to the object to which it is attached. If this flag is not set, the ACE is an effective ACE which controls access to the object to which it is attached. |
Value | Identifier | Description |
---|---|---|
0x40 |
SUCCESSFUL_ACCESS_ACE_FLAG |
Used with system-audit ACEs in a SACL to generate audit messages for successful access attempts. |
0x80 |
FAILED_ACCESS_ACE_FLAG |
Used with system-audit ACEs in a system access control list (SACL) to generate audit messages for failed access attempts. |
Bit offset | Identifier | Description |
---|---|---|
0 - 15 |
Specific rights |
|
16 - 23 |
Standard rights |
|
24 |
ACCESS_SYSTEM_SECURITY (0x01000000) |
Access system security |
25 |
MAXIMUM_ALLOWED (0x02000000) |
Maximum allowed |
26 - 27 |
Unknown (Reserved) |
|
28 |
GENERIC_ALL (0x10000000) |
Generic all |
29 |
GENERIC_EXECUTE (0x20000000) |
Generic execute |
30 |
GENERIC_WRITE (0x40000000) |
Generic write |
31 |
GENERIC_READ (0x80000000) |
Generic read |
Value | Identifier | Description |
---|---|---|
0x00010000 |
fsdrightDelete |
Delete access |
0x00020000 |
fsdrightReadControl |
Read access to the owner, group, and discretionary ACL (DACL) |
0x00040000 |
fsdrightWriteSD |
Write access to the discretionary ACL (DACL) |
0x00080000 |
fsdrightWriteOwner |
Write access to owner SID |
0x00100000 |
fsdrightSynchronize |
Synchronize access |
Value | Identifier | Description |
---|---|---|
0x00000001 |
fsdrightReadBody |
|
0x00000002 |
fsdrightWriteBody |
|
0x00000004 |
fsdrightAppendMsg |
Ignored |
0x00000008 |
fsdrightReadProperty |
|
0x00000010 |
fsdrightWriteProperty |
|
0x00000020 |
fsdrightExecute |
Ignored |
0x00000080 |
fsdrightReadAttributes |
|
0x00000100 |
fsdrightWriteAttributes |
|
0x00000200 |
fsdrightWriteOwnProperty |
Trustee can modify his or her own items |
0x00000400 |
fsdrightDeleteOwnItem |
Trustee can delete his or her own items |
0x00000800 |
fsdrightViewItem |
Trustee can view items |
All non-folder access rights: 0x001f0fbf
Value | Identifier | Description |
---|---|---|
0x00000001 |
fsdrightListContents |
Trustee can list file contents. |
0x00000002 |
fsdrightCreateItem |
Trustee can add a file to a folder. |
0x00000004 |
fsdrightCreateContainer |
Trustee can add a subfolder |
0x00000008 |
fsdrightReadProperty |
|
0x00000010 |
fsdrightWriteProperty |
|
0x00000080 |
fsdrightReadAttributes |
Reserved for future use |
0x00000100 |
fsdrightWriteAttributes |
Reserved for future use |
0x00000200 |
fsdrightWriteOwnProperty |
The trustee can modify his or her own items |
0x00000400 |
fsdrightDeleteOwnItem |
The trustee can delete his or her own items |
0x00000800 |
fsdrightViewItem |
The trustee can view items |
0x00004000 |
fsdrightOwner |
The trustee is the owner of the folder |
0x00008000 |
fsdrightContact |
Identifies the user as the contact for the folder |
All folder access rights: 0x00000fbf
Value | Identifier | Description |
---|---|---|
0x00000001 |
SYSTEM_MANDATORY_LABEL_NO_WRITE_UP |
A principal with a lower mandatory level than the object cannot write to the object. |
0x00000002 |
SYSTEM_MANDATORY_LABEL_NO_READ_UP |
A principal with a lower mandatory level than the object cannot read the object. |
0x00000004 |
SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP |
A principal with a lower mandatory level than the object cannot execute the object. |